Preventing misuse of libspotify key

江枫思渺然 提交于 2019-12-05 12:14:40

The logic is this (I work for Spotify): requiring our developers to jump through a bunch of hoops just to get their API key into their binary isn't going to be worth it - developers will be turned off by it and everyone will be unhappy.

However, we don't want keys to be spread around, simply because if everyone is using one key, we can't track it reliably and if that key ends up being used for something malicious and we kill it, lots of applications will suddenly be broken.

To force in a terrible car analogy, imagine the API key is some valuable item and your application is a car. If you leave the item on the car's seat (i.e., having your API key in plain text), you're practically inviting someone to break in and steal it (i.e., use your key in their own app). If you put it in the glove box (compile it into your binary), if someone breaks in to your car (disassembles your app) because they know the item is in the glovebox, it's pretty much game over anyway.

In short: Compiling in the key is absolutely security through obscurity, but we feel it's enough to dissuade people from casually reusing other applications' API keys when it's fairly trivial to get one from us directly.

I guess the essence of my question is this: how do I avoid breaching the ToS without requiring every user to obtain their own key?

If you're distributing your application in binary form, compiling it in is just fine. If you're distributing it in source form, you can't really include the key.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!