I was planning on using commercial Amibroker Kite bridge(e.g etatrader. robotrader).
However , i see that the api_key and api_secret has to be embedded/saved in these desktop bridge Apps.
But as per Kite docs , its says
"Never expose your api_secret by embedding it in a mobile app or a client side application. Do not expose the access_token you obtain for a session to the public either."
Now , i am no security expert, but aren't these apps dangerous by embedding/saving all user access data in the bridge app?
> Now , i am no security expert, but aren't these apps dangerous by embedding/saving all user access data in the bridge app?
Yes you're right. Sharing the `api_key` and `api_secret` is just like sharing a username/password with a 3rd party. They can generate a session anytime and login and do all sorts of activities (as scoped by the permissions granted to the app) with it.
It's advisable to not share your API keys and secrets with any 3rd party app. All such apps should implement a proper login workflow where only the access key is stored with the 3rd party (which you can revoke anytime, should the need arise).
1. Your credentials are stored in your local computer only, credentials are encrypted before saving and decrypted while loading the software. You can check the user settings file at C:\Users\Administrator\AppData\Local\Howutrade_Software_Soluti\EtaZerodha.exe_StrongName_*************\1.0.0.0\user.config For someone to get your api key and secret, they must get access to your computer and they should know the encryption key. We hope it is tough.
2. Risk is more when you use web apps, where your all credentials (including client id and password) are stored in the 3rd party server. Example web apps: tradetron etc.
3. Every communication to zerodha api/oms happens directly from your computer i.e. order requests, data etc.
4. AmiBroker/Excel to EtaTrader communications happens locally
5. No sensitive information is passed from EtaTrader to our servers except a. Your client id and name is used during login to validate your license b. automatic error reporting c. If order and position alerts enabled, then those details will be processed through our mail servers and the details are flushed eod.
How can verify this? You can use network tools like Glasswire to see the data transfers happens between EtaTrader and web servers
You can block howutrade servers post login using firewall etc. and unblock during next login, this will ensure that, nothing is transferred to howutrade servers including error reports post login.
If you want 100% privacy, we also have file based license model. Pros: Local license validation 100% no communication to howutrade servers
Cons: No license transfer permitted i.e. Client Id switching No Telegram , email alerts Will be charged little extra
Scenarios:
1. access token only compromised Without your api key, nothing can be done with access token alone
2. api key and secret compromised Without entering the Client id in developer dashboard, they can't use the credentials
3. api key and access token compromised The max, they can place orders or cancel existing orders in your account, view funds. When you found suspicious orders, report to zerodha, they can track the culprit by IP address. You reset your secret key
Kite api follows OAuth, so your Client Id, Password and Pin are used in web browsers, they are safe except you have added some malware plugins in your browser
After all, trust is the main thing, we always store sensitive information's somewhere (like passwords in google). For example, in Razorpay payment gateway we enter our card details which are stored in their servers only. But we don't suspect Razorpay, because we believe them and they are bound by rules and regulations. But if Razorpay wants to do something with your card details, definitely they can do it.
> Now , i am no security expert, but aren't these apps dangerous by embedding/saving all user access data in the bridge app?
Yes you're right. Sharing the `api_key` and `api_secret` is just like sharing a username/password with a 3rd party. They can generate a session anytime and login and do all sorts of activities (as scoped by the permissions granted to the app) with it.
It's advisable to not share your API keys and secrets with any 3rd party app. All such apps should implement a proper login workflow where only the access key is stored with the 3rd party (which you can revoke anytime, should the need arise).
This is w.r.t our software EtaTrader.
1. Your credentials are stored in your local computer only, credentials are encrypted before saving and decrypted while loading the software. You can check the user settings file at
C:\Users\Administrator\AppData\Local\Howutrade_Software_Soluti\EtaZerodha.exe_StrongName_*************\1.0.0.0\user.config
For someone to get your api key and secret, they must get access to your computer and they should know the encryption key. We hope it is tough.
2. Risk is more when you use web apps, where your all credentials (including client id and password) are stored in the 3rd party server. Example web apps: tradetron etc.
3. Every communication to zerodha api/oms happens directly from your computer i.e. order requests, data etc.
4. AmiBroker/Excel to EtaTrader communications happens locally
5. No sensitive information is passed from EtaTrader to our servers except
a. Your client id and name is used during login to validate your license
b. automatic error reporting
c. If order and position alerts enabled, then those details will be processed through our mail servers and the details are flushed eod.
How can verify this?
You can use network tools like Glasswire to see the data transfers happens between EtaTrader and web servers
You can block howutrade servers post login using firewall etc. and unblock during next login, this will ensure that, nothing is transferred to howutrade servers including error reports post login.
If you want 100% privacy, we also have file based license model.
Pros:
Local license validation
100% no communication to howutrade servers
Cons:
No license transfer permitted i.e. Client Id switching
No Telegram , email alerts
Will be charged little extra
Scenarios:
1. access token only compromised
Without your api key, nothing can be done with access token alone
2. api key and secret compromised
Without entering the Client id in developer dashboard, they can't use the credentials
3. api key and access token compromised
The max, they can place orders or cancel existing orders in your account, view funds.
When you found suspicious orders, report to zerodha, they can track the culprit by IP address.
You reset your secret key
Kite api follows OAuth, so your Client Id, Password and Pin are used in web browsers, they are safe except you have added some malware plugins in your browser
After all, trust is the main thing, we always store sensitive information's somewhere (like passwords in google). For example, in Razorpay payment gateway we enter our card details which are stored in their servers only. But we don't suspect Razorpay, because we believe them and they are bound by rules and regulations. But if Razorpay wants to do something with your card details, definitely they can do it.
Thanks for the clarifications. Please note i was not targeting you in anyway.
I m just concerned about the general laxity about the security in the Bridge Apps which has become plenty these days.
I only wish zerodha and other brokers take notice of these apps before its too late.
In any case , appreciate your honesty regarding the security of your bridge app.