To securely manage and store Connected App credentials in managed packages, follow these comprehensive best practices:
1. **Use Protected Storage**: Store credentials using Protected Custom Settings or Protected Custom Metadata to ensure they are not exposed to unauthorized users. Avoid public custom settings, public custom metadata, or custom objects without encryption.
2. **Encryption**: Encrypt credentials using AES-128 or higher encryption. Use Apex Crypto calls to encrypt secrets and store the encryption key in a protected custom setting or hidden custom metadata API field. For server-side applications, store the encryption key separately in a property file that the database process cannot access.
3. **Provide Secure UI**: Build a custom UI using Visualforce, Aura, or LWC to allow subscribers to input credentials securely. Pass the subscriber's input to an Apex class within the managed package for secure storage.
4. **Named Credentials**: Use Named Credentials for locally generated or per-org secrets, but be aware that administrators can view these credentials.
5. **Avoid Hardcoding**: Never hardcode sensitive information in your codebase or store credentials directly on the client side.
6. **Set Proper Permissions**: Ensure fields containing encrypted secrets have appropriate permissions to restrict access.
7. **Use Transient Keyword**: When writing code to update protected custom settings, use the `transient` keyword to prevent sensitive data from being stored in the viewstate.
8. **Prevent Exposure in Logs**: Ensure sensitive data is not logged or exposed in debug logs.
9. **Client Application Storage**: For client-side applications, use vendor-provided keychains, keystores, or DP API for storing credentials. For browser apps, rely on password managers instead of storing secrets directly.
10. **Clear Documentation**: Clearly explain the changes and authorization levels required from the admin in the app setup page and seek user consent for the level of access being requested.