You need to sign in to do that
Don't have an account?
Starfish
Securely Create a Protected Custom Setting
I've just had a package rejected from the AppExchange for 'Insecure Storage of Sensative Data.' This is because I had the Post-Install script create a Protected Custom Setting which contained an API Secret and API Key. The trouble, apparently, is that both of these are visible in the Apex Class, though it is a managed package, so those are inaccessible to users by any means I know of.
Thus my question is how are we supposed to create Protected Custom Settings in a secure manner? The trouble is that the user is not supposed to have access to the API Key or API Secret. We cannot have them create the Protected Custom Setting. The API Key and API Secret are the same for everyone who uses the package, so these must be added in an automated fashion, securely. But I don't see how this is possible if the code itself is considered insecure.
Thus my question is how are we supposed to create Protected Custom Settings in a secure manner? The trouble is that the user is not supposed to have access to the API Key or API Secret. We cannot have them create the Protected Custom Setting. The API Key and API Secret are the same for everyone who uses the package, so these must be added in an automated fashion, securely. But I don't see how this is possible if the code itself is considered insecure.
You have to create a "Settings" tab where user will enter API secret and API key. You have to provide some documentation for it.
Solution 2:
Encrypt API secret and key and decrypt in real time when post install script run.
You can not directly write these critical details in a variable.
Its not about you have managed package and it won't be visible at customer end. If it is encrypted it can not be decoded without knowing encrytion algos and a programming language. At least these precaution must be taken.