The applications I create often have requirements for services on social networks; eg.

• Twitter
• bit.ly
• Facebook

For most of these services, I need to have an API key. I am trying to develop a better way to include these API keys in the application binary. The desired level of security depends on possible attacks that could be carried out by cybercriminals.

Twitter

• I have a key and secret with xAuth support. Both must be used by the iPhone application.

Fallout from attack

• Malicious users may post twitter status updates disguising themselves as inbox from my application. There is no twitter account to capture and start publishing status updates.

bit.ly

• I have a username, password and API key.
• To enter the site and gain access to analytics, you must enter a username and password.
• To create links via the API, my iPhone applications only require a username and API key. The password will not be in the application in any form.

Fallout from attack

• Malicious users may link to my bit.ly account. They will need to make a separate attack for brute force or otherwise get a password to enter the account.

For both of these services, the potential harm does not seem too great. But for other services, it can be much worse.

I can simply define the API credentials as lines in the header or in a line in the code, but then it is vulnerable to someone using the lines in the application to see what is in it.

Then I could start doing stupid / xor -ing concatenation in the code to recreate the API key in memory, and the attacker would have to work a bit to recover any keys in binary format. My concern is that I am not a cryptographer and create there an embarrassingly weak form of obfuscation there.

What are the best deals people have?