The apps that I build frequently have 'social media service' requirements; e.g.

1. Twitter
2. bit.ly
3. Facebook

For most of these services, I need to have an API key of some sort. I'm trying to work out the best way of including these API keys in the application binary. The desired level of security depends on the possible attacks that can be conducted by malicious attackers.

Twitter

• I have an xAuth-enabled key and secret. Both need to be used by the iPhone app.

Fallout from attack

• Malicious users could post twitter status updates masquerading as coming from my app. There is no twitter account to hijack and start posting status updates on.

bit.ly

• I have a username, password and API key.
• To login to the website and access analytics, the username and password are required.
• To create links via the API, only the username and API key are required by my iPhone apps. The password will not be in the app in any form.

Fallout from attack

• Malicious users could create links on my bit.ly account. They would need to do a separate attack to brute-force or otherwise gain the password to login to the account.

For both of those services, the potential for harm doesn't seem too great. But for other services, it could be much worse.

I can just define the API credentials as strings in the header or in-line in the code, but then it's vulnerable to someone using strings on the application to see what's in it.

I could then start doing silly concatenation / xor-ing in the code to recreate the API key in memory, and the attacker would have to do a bit more work to recover any keys in the binary. My concern with that is that I'm not a c开发者_Python百科ryptographer and would create an embarrassingly weak form of obfuscation there.

What better suggestions do people have?

The attacker can just sniff your traffic and extract the secret from there. So any obfuscation is easily circumvented.

Even SSL won't help much, since you can intercept the networking API which receives the unencrypted data.

The secure way to solve this is create your own server, keep the secret stuff server side, and use your own server from your app, and the server then relays to the other webservice. This way the attacker never has access to the secret.

A good suggestion is not to worry about it. There are plenty of apps that store their API keys in plain text. The point is you need a lot of different bits of information to construct an access token.

As long as you're not storing username+password combos in plain text on the file system or transmitting them over the network without SSL/HTTPS etc then you're fine.