4

I'm currently developing a desktop application based on a 3rd party web API, and have registered for their program and been given two access keys in return.

However, if pasting these keys as strings in the source, then anyone could pull back the contents of the repo and find them pretty trivially.

So far my best idea of how to prevent this is to compile them separately into a class file, obfuscate it, and then just use that so they're at least not in plain text in the source. But is there a better, more accepted or at commonly used way that I'm missing? I'm not after complete and utter security, but at least want to make extracting the keys as difficult as I reasonably can given an open source environment.

hippietrail
  • 15,848
  • 18
  • 99
  • 158
Michael Berry
  • 70,193
  • 21
  • 157
  • 216
  • 1
    Obfuscating the class won't make much difference as it will only mangle the field name, not its contents, so it will still be trivial to extract. – Dan Dyer Jan 09 '13 at 12:23
  • Are you sure you may allow "the world" to use *your* credentials to access the web service? Shouldn't each user register for themself? –  Jan 09 '13 at 12:28
  • 1
    @a_horse_with_no_name These are application specific API keys, not user specific. By obfuscating in this instance I would probably manually do it to the actual string construction. Granted, still relatively easy to extract but at least a tad more obscure. – Michael Berry Jan 09 '13 at 13:03
  • Possible duplicate of [How to open-source an application that uses API keys](http://stackoverflow.com/questions/1983990/how-to-open-source-an-application-that-uses-api-keys). Though, this question is more specific in scope, so maybe not. – Stevoisiak Apr 23 '17 at 14:14

1 Answers1

10

You'll probably want to plug-in the access keys as a separate file in the source code, which you would avoid pushing to the public repository (or push with the actual keys deleted so someone wanting to use your application would need to plug-in their own key). That way everything is open source except your private keys themselves.

TL;DR: The only way to really avoid publishing your keys is not to make them part of the public source repo. Anything else means they are pretty trivially extractable by others.

skoy
  • 266
  • 2
  • 10
  • This makes a lot of sense, but I'm also considering when I release the software, it will need to contain the keys somewhere and again - they could be easily decompiled and released. – Michael Berry Jan 09 '13 at 13:03
  • Are we talking obfuscation for releasing the source-code, or in a binary release? For source-code there's no point so it's wasted effort. For a binary release you're moving into the realm of DRM. It's still not very effective, but there's a bit more wiggle room here. If it's the latter, can you give more details? What language & platform? What kind of users are you aiming at? – skoy Jan 09 '13 at 14:11
  • 1
    The latter, yes - a desktop Java application, and I guess I'm aiming at your "typical IT user". Think IT literate, but not a programmer. – Michael Berry Jan 09 '13 at 14:58
  • 1
    @berry120 Take a look at [this](http://truelicense.java.net/apidocs/de/schlichtherle/util/ObfuscatedString.html) as a possible solution. It gives you a method to obfuscate string literals in your code, and also mentions a free tool for code obfuscation, to use in conjunction with data obfuscation. – skoy Jan 10 '13 at 19:57