4

How would one go about obfuscating strings in go? I have a binary that contains an api key and api secret, running strings <binary> allows me to see the api key/secret.

I consider this a security issue, since this would make database username/passwords, etc, readable too.

Please provide some insight to this, and/or a way to obfuscate go strings/binaries. I know that it can be reverse engineered, I'm simply looking for a way to harden it.

halfer
  • 19,824
  • 17
  • 99
  • 186
Stian OK
  • 658
  • 6
  • 14
  • 9
    Don't keep secrets in your program. If the program can decrypt them, so can any adversary. – JimB Dec 11 '14 at 19:54
  • 5
    This is the wrong way to approach security. You can't harden it, you can only make it slightly more inconvenient. Does it really matter if it takes me 10min to get your secret vs 30sec? Your program *should not* contain any sort of credentials that you don't want publicly disclosed. Hiding it from the `strings` program is trivial -- hiding from anyone who knows what they're doing is impossible. – JimB Dec 11 '14 at 20:30
  • To make it clear: people here are saying: don't save the secret in source code. But you might still be able to put the secret outside of source code, in a place that _you_ control. For example, an owner-readable file that's not accessible by anyone else but you. – dyoo Dec 11 '14 at 20:35
  • If you are distributing the application code, then an attacker will be able to determine the key. At most it can be used by the service provider for book keeping purposes, and they should be fine with that if they allow desktop apps. – James Henstridge Dec 12 '14 at 01:22
  • So a good approach to this _issue_ would be to have a remote server that it can send requests to, kinda like an api of some sort? – Stian OK Dec 12 '14 at 17:36
  • Server might be OK. If you posted a question about what the app is trying to do, there might be something useful we can offer. (AWS, for example, lets your server hand out signatures that give a client permission to upload a file to S3 with particular restrictions.) – twotwotwo Dec 13 '14 at 01:21
  • This question appears to be off-topic because it is a [XY Problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). It's a wrong approach to the real problem. – Denys Séguret Dec 16 '14 at 11:20

0 Answers0