How to protect an API key in a .NET application

Asked 8/2, 2011 at 21:13 Answered 8/2, 2011 at 22:11

.net security obfuscation api-key dotfuscator

My application hits a number of web services, such as Twitter and Flickr. It uses API keys from those services, and I'd like to obfuscate them in my binaries. (I'm not really worried about piracy or anything, I just need to keep these keys secret.)

What's the best way to go about it?

If I store them as const SecureString, does that keep them out of memory? The MSDN description says the text is "deleted from computer memory when no longer needed", but isn't a const always in memory?

Will Dotfuscator obscure it in my assembly? (Assuming I can get it to work.)

Bangle answered 8/2, 2011 at 21:13 Comment(3)

You can't. If a malicious attacker wants your API key, obfuscating your binary won't prevent them from accessing it. Anyone else wouldn't know what to do with the key anyway. – Barre 8/2, 2011 at 21:18

I think SecureString would make the situation even worse. Since it's a big sign saying "Look at me I'm so secret". SecureString protects against things like swapping a key to disk but not against a malicious used. – Miltonmilty 8/2, 2011 at 21:56

And simply intercepting your http(s) request to twitter should be trivial too. – Miltonmilty 8/2, 2011 at 21:57

I've recently had to deal with exactly this situation. The problem isn't so much making sure someone can't easily find it using a hex editor but rather when it's sent over the wire to the various APIs. Simply running fiddler and watching requests will show the key regardless. Some APIs will have the benefit of a private/public key which helps a little.

The only solution I could come up with was to create a webservice of my own externally hosted that acted as a proxy between the client and the targeted API. This allowed me to generate individual keys to each terminal that I could activate/deactivate and majority of the sensitive data was stored on my remote proxy application.

Good luck!

~ "Dont't forget to drink your Ovaltine"

Varipapa answered 8/2, 2011 at 22:2 Comment(1)

it it possible you post some sample code for your solution? or explaing more how it works – Heracles 13/2, 2012 at 22:14

Anon is correct, there is no way to completely protect data; someone can always get it at.

But you want to make it as difficult as possible. This means not doing the things that make it easy to read:

not storing in a registry key (e.g. TwitterAPIKey REG_SZ)
not storing in a text file (e.g. twitterkey.txt), or in an ini file
not storing in the application's .config file
not storing as plain text in the binary
not storing unencrypted in the binary

This will leave people who have to have knowledge of a debugger, and (possibly) assembly code.

You've reduced the attack surface a lot.

Follow just the first three suggestions and you'll well on your way.

Skep answered 8/2, 2011 at 21:36 Comment(0)

maybe you can ask your user to use their own api keys. They can register themselves to the apis, and then reference their key in your app's settings

Euraeurasia answered 8/2, 2011 at 22:11 Comment(1)

This would be a non-starter for mobile apps – Misprision 4/8, 2011 at 13:54

Recommended topics

Hot tags