如何在应用程序的二进制文件中存储秘密 API 密钥?
我正在为 Mac OS X 创建一个 Twitter 客户端,并且我有一个消费者秘密。据我了解,我不应该分享这个秘密密钥。问题是,当我将它作为字符串文字放入我的应用程序并使用它时,如下所示:
#define QQTwitterConsumerSecret @"MYSECRETYOUMAYNOTKNOW"
[[QQTwitterEngine alloc] initWithConsumerKey:QQTwitterConsumerKey consumerSecret:QQTwitterConsumerSecret];
它位于我的应用程序二进制文件的数据部分中。黑客可以阅读此内容、反汇编应用程序等等。
有没有安全的方法来存储消费者秘密?我应该加密它吗?
I am creating a Twitter client for Mac OS X and I have a Consumer secret. It's to my understanding I should not share this secret key. The problem is that when I put it as a string literal into my application and use it, like this:
#define QQTwitterConsumerSecret @"MYSECRETYOUMAYNOTKNOW"
[[QQTwitterEngine alloc] initWithConsumerKey:QQTwitterConsumerKey consumerSecret:QQTwitterConsumerSecret];
It is in the data section of my application's binary. Hackers can read this, disassemble the application, etcetera.
Is there any safe way of storing the Consumer secret? Should I encrypt it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
没有真正完美的解决方案。无论你做什么,致力于它的人都能够窃取它。
甚至适用于 iPhone/iPad/Android/mac/等的 Twitter。那里有一把秘密钥匙,他们很可能只是以某种方式掩盖了它。
例如,您可以将其分解为不同的文件或字符串等。
注意:使用十六进制编辑器,您可以读取二进制文件中的 ascii 字符串,这是最简单的方法。通过将其分成不同的部分或使用函数调用来创建密钥通常会使该过程变得更加困难。
There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it.
Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they've likely just obscured it somehow.
For example, you could break it up into different files or strings, etc.
Note: Using a hex editor you can read ascii strings in a binary, which is the easiest way. By breaking it up into different pieces or using function calls to create the secret key usually works to make that process more difficult.
您可以对其进行 base64 编码以对其进行混淆。或者,更好的主意是生成密钥而不是仅仅存储它 - 编写如下内容:
然而,一个真正优秀的黑客无论如何都会找到它;真正保护它不被其他人看到的唯一方法是使用安全哈希函数,但这样你也将无法检索它:)
You could just base64-encode it to obfuscate it. Or, better idea, generate the key instead of just storing it - write something like this:
However, a really good hacker will find it no matter what; the only way to really protect it from others' eyes is using a secure hash function, but then you won't be able to retrieve it, too :)
您不应在不单独在您的服务器上运行的应用程序中使用秘密 api 密钥。
即使它完全隐藏......您始终可以窥探通过线路的数据。而且由于它是您的设备,您甚至可以篡改 SSL(中间人使用由自定义 CA 创建的证书,该证书已添加到设备的受信任 CA 列表中)。或者您可以连接到 SSL 库以在实际加密之前拦截数据。
You should not use a secret api key in an application that does not run solely on your server.
Even if it's perfectly hidden.. you can always snoop on the data going through the wire. And since it's your device you could even tamper with SSL (man in the middle with a certificate created by a custom CA which was added to the device's trusted CA list). Or you could hook into the SSL library to intercept the data before actually being encrypted.
一个非常晚的答案...
如果您设置自己的服务器,您可以使用它来帮助您的桌面应用程序获得 Twitter 上用户的授权,而无需共享(即:嵌入)您的密钥。
您可以使用这种方法:
当用户安装您的桌面应用程序时,她必须在 twitter 和您的服务器上注册它
*)
*) 应用程序要求服务器生成令牌请求 URL
*) 服务器将生成的URL发送给应用程序
*) 应用程序将用户引导至授权 URL
*) 用户在 Twitter 上授权您的应用程序并将生成的 PIN 粘贴到其中
*) 使用 PIN,您的应用程序可以获取令牌
*) 所有进一步的通信都使用令牌,并且不涉及您的服务器
注意:应用程序使用服务器的用户凭据(例如:id 和密码)登录到您的服务器。
A really late answer...
If you setup your own server, you can use it for helping you desktop app getting authorized by users on twitter without sharing (i.e.: embedding) your secret key.
You can use this approach:
When a user installs you desktop app she must register it with twitter and with your server
*)
*) The app asks the server to generate the token request URL
*) The server sends the generated URL to the app
*) The app directs the user to the authorize URL
*) The user authorizes your app on twitter and pastes the generated PIN into it
*) Using the PIN you app grabs the token
*) All further communication uses the token and does not involve your server
Note: the app logs to your server using the user credentials (e.g.: id and password) for your server.