1

For an example say we have an application such as a client based application which connects to an API using an api key. We are saying for this purpose there is no OAuth. How would a string or in this example an api key be hidden from the client. To be used it needs to be in the code which is on the clientside. How do we keep the string safe? If users decompile the code they could find the key.

This is a very basic example with solutions such as server siding the connection, but in general how do you protect strings that must be present in the code. Deobfuscation is a pain.

ComputerLocus
  • 174
  • 1
  • 7
  • You can't. Change your security model so that you don't have to do this, e.g. get each user to input their own API key, or proxy the requests through a web service that handles the API interface itself. – Polynomial Mar 04 '14 at 16:09

2 Answers2

3

In short: you can't.

As long as someone has the local copy and the local copy is capable of retrieving this key, then someone could reverse engineer and get it. If someone had attempted to hide or obfuscate their code, then I would just step through the program in real-time or through IDA Pro. If at some point you store your key in a variable, then I'll grab it in memory. If you rely on some sort of algorithm, I'll reverse-engineer a working version by looking at how you do it.

Let me give you an example. There exists an RSA key on the Xbox 360 console to secure content made on the console such as save games. Both the private and public keys were stored in the kernel, and the RAM was completely encrypted. It took a long time, but someone was finally able to reverse-engineer the kerner enough to know the entire file structure, how the SHA blocks were created, and able to grab the RSA private and public keys. It took significantly longer since the system was secure, but they were still able to get it. From Microsoft's own console.

The only true way to hide something is to do the work on something you trust, aka the server.

-1

if your app is web based then you can use an ajax call to prevent your API Key from being displayed in the url, otherwise if it is a desktopp app you can store your API KEY in a file or a database, then retreive it when you need to make a call to your API

aboujanane
  • 49
  • 5