I would like to hear about the security implications of my desktop app’s current API usage workflow:
- Client-side WPF desktop app connects to Azure Key Vault, a cloud vault, by authenticating via a self-signed certificate packaged and distributed with the app’s installer.
- Client app retrieves the API key and the key is assigned to a declared runtime object.
- Client app uses the key value to make the required GET requests.
- Client app closes with Application.Current.Shutdown().
Not well-versed in security myself, but I wondered:
- Is distributing self-signed certs a risky practice? Ie. others may create a clone app with it
- Can others potentially hack into the client during runtime and access the key?
- Potentials for man-in-the-middle attacks to intercept keys when retrieving from vault?
Keen to hear expert thoughts about the above and other ideas. I can’t think of another way to make the GET request directly from client-side.