The SDK is designed to be easy to use and hard to misuse, however to ensure the best possible security some principles need to be followed.

This guide exposes important guidelines, we strongly recommend you stick to them. There may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

App secret

When creating your app, you will get its private key. It will be used by your server-side application to authorize the addition of every user's first device. It does not allow you to decrypt any user data.

Tanker staff does not have access to your app secret, so please make sure to never lose it as it cannot be recovered. It must be saved securely, preferably stored in a physical location like a safe.

The app secret key should be safely stored server-side

If the app secret leaks (for instance, if it's included in code running client-side), then it gives administrative privileges to all your users.

Thus, it should be safely stored only on your servers, and protected as any other secrets your servers may be using.

Tanker identity

The Tanker identity has several purposes:

  • It protects the private keys stored on users' devices
  • It contains signature keys used to make sure user additions are legitimate
  • It links the user in your application with Tanker

Note that its generation uses the app secret.

The Tanker identity must only be sent to authenticated users

If you fail to check users are authenticated before returning their Tanker identity, attackers may impersonate legitimate users and any resources shared with them will be compromised.

The Tanker identity must be stored server-side

Each Tanker identity can only be generated once per user, so you should store the identities on your servers so that they are available any time an authenticated user wants to open a session.

The Tanker identity should not be stored client-side

If you store the Tanker identity client-side unencrypted, anyone with access to the device will be able to decrypt, encrypt and share any data without needing to authenticate to your servers.

Allowed origins

The tanker SDK implements the Cross Origins Ressource Sharing (CORS) mechanism.

When you create an app in the dashboard you can specify a whitelist of allowed origins. The calls from any other origin will be blocked by web browsers. If not configured, all origins are accepted.

For security purposes we strongly advise you to configure allowed origins in your app settings.