How can one secure a password/key in source code

  • If there is a need for source code to have a password in it, how should this be secured? This is purely an example, but say there is an app that is using an API, and you don't want to expose your API key, yet you need to have it in the source code, because it is used. How do you effectively have a string that the user cannot retrieve yet can be used. Does not seem possible without asking the server for the string.

    RE: Why can we still crack snapchat photos in 12 lines of Ruby?

    As "hakjhkjdhakjhdkja" pointed out in the previous question: What Snapchat promises is impossible to do according to the current state of computer science. There is no such thing as self-destroying information. Whenever they state that it would be impossible to permanently save an image sent over their service, they are lying!

    Haha, okay my comment got tuned into a question though I had asked the question already.

  • kiBytes

    kiBytes Correct answer

    7 years ago

    Short answer: you can't.

    You can't never protect a password that you are distributing. You might hide it between some strings and use other operations to "cover" the password but, in the end you will have to put it all together to make your function to operate. And here is where the cracker is going to take it.

    There is no easy way to solve this problem and usually it means that you have not chosen the best security scheme or, if you feel it is enough, maybe it means that you just don't need this kind of security.

    And if you really, really, really need to do in that way you will have to go with "security by obscurity" after all, the longer it takes to be cracked, the better. You better have some detection system for when this happens.

    As an example, consider the gaming industry all these years with their copy protections and so on, if there would have been a way to achieve security within the code itself that would mean the end of "piracy".

    sooo.. when a developer (like myself) uses an app API key e.g. Google Services in an app, if it is so easily discoverable then it is feasible for another dev to basically use my API key maliciously and get it blocked. Then I would need to get another key - rinse and repeat. Is there something on the server to prevent this?

    If someone takes apart your app and discovers your API key, they can use that API key as they will. You can try to protect this by signing your requests, but the discoverer can (and will) mimic your signing logic as well. It's done every time someone jailbreaks an iPhone.

    Well, at least in theory you can... kind of. Assuming that the platform is closed, or "trusted" as companies like Microsoft would put it. So you either have some special hardware that simply doesn't let you access data on your own computer unless _they_ allow you to, or you have an operating system (like WinRT) where _they_ control what programs you _may_ install, and there is only a single way of installing software.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM