0

My application has the requirement of publishing to Twitter using a specific consumer key and consumer secret of a fixed value.

I'm having trouble determining the best way to store these values securely in my application (The user should not be able to use another Twitter application - only mine).

Here are a few things I have already tried:

Scenario 1: Store in App.Settings

Fail - App.Settings are not initially encrypted.

Scenario 2: Store as hard coded value and use Dotfuscator

Fail - The variable is clearly visible in Reflector after being obfuscated.

Scenario 3: Encrypt and store as hard coded value.

Fail - Whilst this passes Scenario 1, the key itself will be hard coded (to ensure it generates the correct decrypted value) and is visible for Scenario 2.

The main issue I have is that in order for Twitter to recognise my consumer key/secret they need to be decrypted, however I don't want this value to be plainly set in the application itself.

What would be the best way for me to tackle this?

Jamie Keeling
  • 9,806
  • 17
  • 65
  • 102
  • See [How do I protect OAuth keys from a user decompiling my project?][1]. Slighty different problem, same solution (none really). [1]: http://stackoverflow.com/questions/7623335/how-do-i-protect-oauth-keys-from-a-user-decompiling-my-project?rq=1 – Jobo Jan 30 '13 at 08:30
  • @Jobo Could you post this as an answer? I have a feeling there's actually nothing I can do and your linked question seems spot on. – Jamie Keeling Jan 30 '13 at 08:38

2 Answers2

1

As Stephen C. mentions as an answer to How do I protect OAuth keys from a user decompiling my project?, there is nothing you can do.

My best bet would be to make it as hard as possible, but staying aware of the fact that it´s never really safe.

Community
  • 1
  • 1
Jobo
  • 1,084
  • 7
  • 14
-1

App.Settings are not initially encrypted

You can use ProtectedData class for encryption/decryption of such data, and store encrypted values in .settings:

    public static String Encrypt(this String unSecuredString)
    {
        if (String.IsNullOrEmpty(unSecuredString))
            return unSecuredString;

        var decryptedData = Encoding.UTF8.GetBytes(unSecuredString);
        var encryptedData = ProtectedData.Protect(decryptedData, null, DataProtectionScope.CurrentUser);

        return Convert.ToBase64String(encryptedData);
    }

    public static String Decrypt(this String securedString)
    {
        if (String.IsNullOrEmpty(securedString))
            return securedString;

        var encryptedData = Convert.FromBase64String(securedString);
        var decryptedData = ProtectedData.Unprotect(encryptedData, null, DataProtectionScope.CurrentUser);

        return Encoding.UTF8.GetString(decryptedData);
    }
Dennis
  • 37,026
  • 10
  • 82
  • 150
  • The issue with this is that the unsecured string has to be passed to this function in the first place. – Jamie Keeling Jan 30 '13 at 08:34
  • @JamieKeeling: you're right, but it depends on where do you receive this unsecured string from. E.g., if you receive it from the web-server, or the user inputs it, it isn't a problem. – Dennis Jan 30 '13 at 08:36
  • The values are provided by me (as in I have already created a Twitter application to handle posting messages) so user input wouldn't occur. Additionally if I receive it from a web server then it would have to be unencrypted (and detectable via fiddler) as I wouldn't be able to decrypt it in my application. – Jamie Keeling Jan 30 '13 at 08:38
  • @JamieKeeling: > and detectable via fiddler - moreover, if you'll ever decrypt something, it can be easily get by making process memory dump. So, the best protection is not do decrypt anything at all. Is it suitable for you? :) – Dennis Jan 30 '13 at 08:53
  • I'm using SecureString to try and mitigate that risk http://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.100).aspx – Jamie Keeling Jan 30 '13 at 09:09