Geek Answers Handbook

Keep secret key in Python

I know that these questions were asked several times separately, and most of the answers I found were “Python is not easy to confuse because the nature of the language. If you really need obfuscation, use a different tool” and “At some point you need compromise "(see How to protect Python code and How to keep OAuth safe for consumers and how to react when it is compromised? ).

However, I just made a small Python application that uses the Twitter API (and therefore needs OAuth). OAuth requires consumer privacy, which should be kept away from users. The application needs this information, but the user should not have access to it easily. If this information cannot be protected (and I use obfuscation and protection as synonyms because I don’t know another way), what is the point of using the OAuth API for Python in the first place?

So the question (s):

  • Is it possible to hard-code a secret in an application and then effectively confuse it?
  • If this is not the case, what is the best way to use OAuth in Python? I thought about “shipping” the encrypted user secret together with the application and using a hard-coded key to restore it, but the problem remains the same (how to protect the key); having a user’s secret on the server, and ask the application to get it at startup (if the information was sent unencrypted, it would be even easier if the attacker could just use Wireshark and get the user’s secret from network traffic than decompile the bytecode, and how can I make sure that I send this secret to my application, and not to the attacker? Any form of authentication that I know requires secret information in the application side, the problem remains the same); a mixture of both (the server sends the encryption key, the same problems as before). The main problem is the same: how can you have something secret if it is impossible to hide important information?

I also saw comments saying that you need to use the C / C ++ extension for these critical parts, but I don't know anything about this, so if that were the answer, I would appreciate additional information.

+5
source share
3 answers

If you want to deploy your own on your servers (or laptops), you can keep secrets in env var or files. If you want to deploy for a user, suppose you or your user must register an API key, generate an ssl key, or the like.

0
source

You can program your own simple critical encryption algorithm with lots of data manipulation to make it more complex.

-1
source

It is not clear why you need to send your OAuth key using a script. This would mean giving anyone access to your Twitter account, regardless of whether they’re running in the app itself.

A more typical scenario is that you are developing a Twitter client, and anyone who wants to run it locally will have to enter their own OAuth token before they can launch it. You simply do not hardcode the token and require that any user submit a token.

-1
source

More articles:


All Articles