App Keys & Secrets: Security

In order for your app to communicate with the Airship API it must use a key and secret combination that authenticates it to your Airship app setup. These keys are generated automatically when you create an app in our dashboard, and you manually copy them into your iOS, Android/Amazon. or Windows app configuration. Since app bundles are fundamentally considered insecure (they can be decompiled), this key and secret combination limits the APIs that your device can communicate with. This allows the device to modify tags and named user for a specific channel, device token, or APID, and nothing more.

Push addresses/tokens are sufficiently random that they can be considered obscure, and the associated data is low risk. We employ additional security on our servers to monitor for abuse. Tags and named user should be considered obscure, however they are trusted APIs for devices to access so you should not place sensitive information in a tag or named user.

We generate one additional piece of data called the Master Secret, which is used to do all communication with our wider APIs. The Master Secret should never be placed in an app bundle, nor released to the public. This is the secret you use to authenticate requests to our server for generating pushes, rich app pages, and more.

Definitions

App Key
Airship-generated string identifying the app setup. Used in the application bundle. Only available in the Airship dashboard.
App Secret
Airship-generated string identifying the app setup secret. Used in the application bundle. Only available in the Airship dashboard.
Master Secret
Airship-generated string used for server-to-server API access. This secret must never be shared or placed in an application bundle. Only available in the Airship dashboard.
Partner Secret
Airship-generated string used for server-to-server API access to create and manage applications for partner integrations. This should never be shared or placed in an application bundle. Only available through manual channels.
User ID
Airship-generated string passed back to devices and stored in the device keychain for authenticating user-related device API actions when paired with the Password. This is not the same as your Airship dashboard user ID.
Password
Airship generated string passed back to devices and stored in the device keychain for authenticating User related device API actions when paired with the User ID. This is not the same as your Airship dashboard password.
Push Address or Token
A unique proprietary string generated by device vendors (Apple, Google, Windows, Amazon) for identifying an addressable push device. This is passed back to the device via vendor specific APIs and then stored by Airship for addressing push messages and authenticating push related APIs.
Dashboard User ID and Password
The credentials used to log in to the Airship Dashboard The Airship web interface located at go.airship.com or go.airship.eu. .

API Authentication Map

API FeatureCreateReadUpdateDelete
TagsApp Key/Secret & TokenSingle: App Key/Secret & Token Enumerate: App Key/SecretApp Key/Secret & TokenSingle from Device: App Key/Secret & Token All tags, all devices: Master Secret
Device Token/APID/PIN RegistrationApp Key/Secret & TokenSingle: App Key/Secret & Token Enumerate: Master SecretApp Key/Secret & TokenApp Key/Secret & Token1
Push MessageMaster Secret2Scheduled Push: Master SecretScheduled Push: Master SecretScheduled Push: Master Secret
Rich Push MessageApp Key/Master SecretUser ID/PasswordN/AUser ID/Password
UserApp Key/Master SecretSingle: User ID/Password or Master Secret Enumerate: Master SecretUser ID/Password or Master SecretUser ID/Master Secret1
Partner APIPartner Key/Secret3Partner Key/SecretPartner Key/SecretPartner Key/Secret

1. Marks as inactive.
2. Unless push from device feature.
3. Only available to Airship partners.

Tag & Named User Security

Tags and named users are considered obscure, but not secure in our system. We recommend that you not use them to store sensitive information. The obscurity varies by platform, as push addresses/tokens are a different format for each vendor (Apple, Google, Microsoft, Amazon). Typically these are UUIDs or similar, but this is not guaranteed and should be considered proprietary in nature. To gain access to a specific device's tags or the named user it belongs to from an unauthorized source you would need to guess the push identifier, which is mathematically improbable, or obtain it by other means.

Given that certain tag operations can be completed without the master secret it is possible for a user, with the app key, secret, and push address, to list tags for an app and subscribe or unsubscribe themselves to those tags. Please be aware of this as you plan your own usage of the tag API.