I'm creating a mobile app (both Android and iPhone) and plan to require client-side SSL authentication. To do this, my app has its client cert file baked in. On the Android side, this is a key store containing a private key. Both key store and key have a password.
My question: how/where should I store the passwords to the key store and the key?
The app code needs these in order to open the key store when making an SSL connection to the server, so they need to be accessible to the app.
Should they be stored as obfuscated strings in the app source code? Or is there some more commonly accepted (read: better) way of doing this that I'm not seeing?
The encryption used to protect the keystore is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. What you need to do depends on your usecase. If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server - this is true regardless of where you store this password (be that in the compiled application code, as a resource within your APK/package, in a SharedPreference, in a database, etc; it's still there, and it will exist in some form where it is understandable at some point.
There is nothing you can do to prevent this; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it.