Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store a secret API key in an application's binary?

Tags:

binary

twitter

api-key

secret-key

People also ask

What is the best place to store secret API keys?

Often your app will have secret credentials or API keys that you need to have in your app to function but you'd rather not have easily extracted from your app. If you are using dynamically generated secrets, the most effective way to store this information is to use the Android Keystore API.

Which is the most secure method to transfer an API key?

There is only one reliable way: use HTTPs for your web site to allow the users to retrieve the key. Then during the API calls HTTPS is no longer required. Your users can use HMAC authentication to hash the key with a shared secret.

There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it.

Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they've likely just obscured it somehow.

For example, you could break it up into different files or strings, etc.

Note: Using a hex editor you can read ascii strings in a binary, which is the easiest way. By breaking it up into different pieces or using function calls to create the secret key usually works to make that process more difficult.


You could just base64-encode it to obfuscate it. Or, better idea, generate the key instead of just storing it - write something like this:

char key[100];
++key[0]; ... ; ++key[0]; // increment as many times as necessary to get the ascii code of the first character
// ... and so on, you get the idea.

However, a really good hacker will find it no matter what; the only way to really protect it from others' eyes is using a secure hash function, but then you won't be able to retrieve it, too :)


You should not use a secret api key in an application that does not run solely on your server.

Even if it's perfectly hidden.. you can always snoop on the data going through the wire. And since it's your device you could even tamper with SSL (man in the middle with a certificate created by a custom CA which was added to the device's trusted CA list). Or you could hook into the SSL library to intercept the data before actually being encrypted.

Related questions

Twitter OAuth (PHP): Need good, basic example to get started
How to force WebRequest to send Authorization header during POST
Pandas max value index
Is there a way to get the twitter share count for a specific URL?
Avoid Twitter API limitation with Tweepy
What exactly does 'since_id' and 'max_id' mean in the Twitter API
cURL and PHP: Stop output to screen
How to proceed with Twitter dropping support for the Twitter SDK?
Asp.Net MVC 5 Owin Twitter Auth throwing 401 Exception
TWTweetComposeViewController deprecated in IOS6
Twitter API to get recent tweets of a particular user
For Twitter , how to create test user accounts?
spannable on android for textView
Building Twitter profile image url with Twitter user id
How do I fix twitter-bootstrap on IE?
How can I get tweets older than a week (using tweepy or other python libraries)
How can I do OAuth request by open new window, instead of redirect user from current page?
Keep getting OAuth::Unauthorized error when using oauth and twitter ruby gems
Does Scala scale better than other JVM languages?
Do twitter access token expire?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!