How secure is AIR's EncryptedLocalStore on the desktop?

Question

I'm working on a desktop application that uses API keys for Twitter but AFAIK, AIR applicatioons are easy to decompile. I want the processing of the API requests to be client-side, not server-sided. At most, I want to keep the dependency onto the server to as low as possible.

What I'm thinking is sending the API from the server to the AIR app on the first run. I've already seen Shared secret with API in an Ajax Adobe AIR app but my question is a bit different in that, I want to know how secure ELS is?

How does Adobe work it's way to storing stuff into the ELS? Does it go through multiple encryption sessions before finally getting stored somewhere on the computer?

Answer 1

Anything that an application on the user's desktop can read, can also be read by the user himself. They can get the key by using a proxy (like Charles) when you send it from or to the server; or they can read it with a debugger when AIR writes it to the ELS.

If I'm not mistaken, Twitter's API keys are public anyway (its only purpose is to track how you are using their API). Are you worried that a user might use your key for their own application? If they do that, all you have to do is get a new Twitter key.