发表新帖
发表新帖

How to store a secret API key in an application's binary?

后端 未结
关注
4 454
青春惊慌失措
青春惊慌失措 2020-12-02 22:34

I am creating a Twitter client for Mac OS X and I have a Consumer secret. It\'s to my understanding I should not share this secret key. The problem is that

相关标签:
4条回答
  • 情话喂你
    2020-12-02 23:01

    A really late answer...

    If you setup your own server, you can use it for helping you desktop app getting authorized by users on twitter without sharing (i.e.: embedding) your secret key.

    You can use this approach:

    When a user installs you desktop app she must register it with twitter and with your server *) *) The app asks the server to generate the token request URL *) The server sends the generated URL to the app *) The app directs the user to the authorize URL *) The user authorizes your app on twitter and pastes the generated PIN into it *) Using the PIN you app grabs the token *) All further communication uses the token and does not involve your server

    Note: the app logs to your server using the user credentials (e.g.: id and password) for your server.

    0 讨论(0)
  • 自闭症患者
    2020-12-02 23:07

    You should not use a secret api key in an application that does not run solely on your server.

    Even if it's perfectly hidden.. you can always snoop on the data going through the wire. And since it's your device you could even tamper with SSL (man in the middle with a certificate created by a custom CA which was added to the device's trusted CA list). Or you could hook into the SSL library to intercept the data before actually being encrypted.

    0 讨论(0)
  • 情书的邮戳
    2020-12-02 23:08

    There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it.

    Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they've likely just obscured it somehow.

    For example, you could break it up into different files or strings, etc.

    Note: Using a hex editor you can read ascii strings in a binary, which is the easiest way. By breaking it up into different pieces or using function calls to create the secret key usually works to make that process more difficult.

    0 讨论(0)
  • 执笔经年
    2020-12-02 23:19

    You could just base64-encode it to obfuscate it. Or, better idea, generate the key instead of just storing it - write something like this:

    char key[100];
++key[0]; ... ; ++key[0]; // increment as many times as necessary to get the ascii code of the first character
// ... and so on, you get the idea.

    However, a really good hacker will find it no matter what; the only way to really protect it from others' eyes is using a secure hash function, but then you won't be able to retrieve it, too :)

    0 讨论(0)
 看不清?
提交回复
热议问题