43

I am creating a Twitter client for Mac OS X and I have a Consumer secret. It's to my understanding I should not share this secret key. The problem is that when I put it as a string literal into my application and use it, like this:

#define QQTwitterConsumerSecret @"MYSECRETYOUMAYNOTKNOW"

[[QQTwitterEngine alloc] initWithConsumerKey:QQTwitterConsumerKey consumerSecret:QQTwitterConsumerSecret];

It is in the data section of my application's binary. Hackers can read this, disassemble the application, etcetera.

Is there any safe way of storing the Consumer secret? Should I encrypt it?

Marek Sebera
  • 39,650
  • 37
  • 158
  • 244
  • 5
    If you encrypt it you'll still need to hide the encryption key. – Null Set Apr 02 '11 at 19:24
  • 1
    @Null Set what if the hacker doesn't know the encryption algorithm? –  Apr 02 '11 at 19:41
  • 1
    Unless the key refers to some kind of privileged account, there is no reason for it to be kept secret or even for it to exist, and Twitter is just being stupid. If it does refer to a privileged account, then it does not belong in an application you share. – R.. GitHub STOP HELPING ICE Apr 02 '11 at 19:49
  • 1
    @Radek Pro-Grammer: why are you tagging this with `C`? that code snippet is `objective-c`. – Mat Apr 02 '11 at 19:51
  • @Mat yes it is, but I don't want this question to be specific to any language. I'll remove the C tag. –  Apr 02 '11 at 20:08
  • 1
    @Radek in crypto it is always best to assume the adversary has full knowledge of the encryption technique used, and work around that. – Null Set Apr 02 '11 at 20:21

4 Answers4

29

There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it.

Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they've likely just obscured it somehow.

For example, you could break it up into different files or strings, etc.

Note: Using a hex editor you can read ascii strings in a binary, which is the easiest way. By breaking it up into different pieces or using function calls to create the secret key usually works to make that process more difficult.

Graham Christensen
  • 839
  • 7
  • 7
  • 10
    It's worth noting that this is why it's possible to revoke API access keys. If it does get stolen (and it's a problem) just revoke the key and push an updated app with a new key to your users. – Daniel Dickison Apr 06 '11 at 16:28
  • 4
    @DanielDickison it's also worth noting that pushing a new version of a mobile app takes time, especially with Apple. – noamtm Feb 05 '15 at 09:31
7

You could just base64-encode it to obfuscate it. Or, better idea, generate the key instead of just storing it - write something like this:

char key[100];
++key[0]; ... ; ++key[0]; // increment as many times as necessary to get the ascii code of the first character
// ... and so on, you get the idea.

However, a really good hacker will find it no matter what; the only way to really protect it from others' eyes is using a secure hash function, but then you won't be able to retrieve it, too :)

2

You should not use a secret api key in an application that does not run solely on your server.

Even if it's perfectly hidden.. you can always snoop on the data going through the wire. And since it's your device you could even tamper with SSL (man in the middle with a certificate created by a custom CA which was added to the device's trusted CA list). Or you could hook into the SSL library to intercept the data before actually being encrypted.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • 13
    Then it'll be impossible to create a desktop Twitter client :O –  Apr 02 '11 at 19:33
  • @Radek Not if you have the desktop client connect to your server. – Null Set Apr 02 '11 at 20:25
  • 1
    @Null Set: excellent point. Now that I think about it, that's almost surely what Twitter wants you to do. Of course it makes your app violate users' privacy (by transmitting their data through your server) and stop working if your server ever goes offline, and thus it's a horrible design... – R.. GitHub STOP HELPING ICE Apr 02 '11 at 20:28
  • 8
    In the most general case, your server will want to provide all of the services the original server (Twitter) does. And now you have to authenticate the client app with your server. Which leads to the exact same problem we started with. – Daniel Dickison Apr 06 '11 at 16:26
  • Actually you just have to do what you "should not do". – superarts.org Jul 05 '12 at 06:36
  • @user142019 You can always open a webview from your website in your app. That will make sure you are secure as well as get the functionality ready. If you don't store data on a server then this may not work. – dinwal Dec 22 '17 at 05:59
0

A really late answer...

If you setup your own server, you can use it for helping you desktop app getting authorized by users on twitter without sharing (i.e.: embedding) your secret key.

You can use this approach:

When a user installs you desktop app she must register it with twitter and with your server *) *) The app asks the server to generate the token request URL *) The server sends the generated URL to the app *) The app directs the user to the authorize URL *) The user authorizes your app on twitter and pastes the generated PIN into it *) Using the PIN you app grabs the token *) All further communication uses the token and does not involve your server

Note: the app logs to your server using the user credentials (e.g.: id and password) for your server.

hawk78
  • 41
  • 3