Geek Answers Handbook

How to protect an API key in a .NET application

My application falls into a number of web services such as Twitter and Flickr. It uses the API keys from these services, and I would like to confuse them in my binaries. (I'm not really worried about piracy or anything else, I just need to keep these keys a secret.)

What is the best way to do this?

If I store them as const SecureString , it does not allow them to get rid of memory? The MSDN description says that the text “is deleted from the computer’s memory when it is no longer needed” but is not always a constant in memory?

Will Dotfuscator hide it in my build? (Assuming I can get it to work .)

+8
security obfuscation api-key dotfuscator
source share
3 answers

I recently had to deal with this situation. The problem is not so much that someone cannot easily find it using a hex editor, but rather when it sends various APIs by wire. Just starting the violinist and looking at the requests will show the key independently. Some APIs will have the advantage of a private / public key, which helps a bit.

The only solution I could come up with was to create a web service of my own external hosting that acted as a proxy between the client and the target API. This allowed me to generate separate keys for each terminal that I could activate / deactivate, and most of the sensitive data was stored in a remote proxy application.

Good luck

~ "Don't forget to drink your ovaltin"

+8
source share

Anon is right, there is no way to completely protect data; someone can always get it.

But you want to make it as difficult as possible. This means that you are not doing what makes reading easier:

  • not stored in the registry key (e.g. TwitterAPIKey REG_SZ )
  • not saved in a text file (e.g. twitterkey.txt ) or in ini file
  • not saved in the application's .config file.
  • not saved as plain text in binary format
  • do not store unencrypted in binary format

This will leave people who need to know about the debugger and (possibly) build code.

You have significantly reduced the attack surface.

Follow only the first three sentences and you will be well on your way.

+4
source share

perhaps you can ask your user to use their own api keys. They can register on apis, and then refer to their key in the settings of your application.

0
source share

More articles:


All Articles