Menu
My application hits a number of web services, such as Twitter and Flickr. It uses API keys from those services, and I'd like to obfuscate them in my binaries. (I'm not really worried about piracy or anything, I just need to keep these keys secret.)
What's the best way to go about it?
If I store them as const SecureString, does that keep them out of memory? The MSDN description says the text is "deleted from computer memory when no longer needed", but isn't a const always in memory?
Will Dotfuscator obscure it in my assembly? (Assuming I can get it to work.)
917
I've recently had to deal with exactly this situation. The problem isn't so much making sure someone can't easily find it using a hex editor but rather when it's sent over the wire to the various APIs. Simply running fiddler and watching requests will show the key regardless. Some APIs will have the benefit of a private/public key which helps a little.
The only solution I could come up with was to create a webservice of my own externally hosted that acted as a proxy between the client and the targeted API. This allowed me to generate individual keys to each terminal that I could activate/deactivate and majority of the sensitive data was stored on my remote proxy application.
Good luck!
~ "Dont't forget to drink your Ovaltine"
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
