How to secure API keys in applications that will be distributed to clients

I am building an application that uses two legged authentication. I got an API key and API Secret, but now I am confused.

I am currently storing my api keys and secrets in a .yml file. But I would like to distribute the .app code, which will end up having the .yml file.

But the .app file will contain the .yml, file, which is bad since everyone will be able to see the API key and Secret.

How can I store the API key and Secret such that my application can access the key and secret without the users seeing it?

Answer

The answer depends on a few variables:

  1. Is your source included?
  2. Is it possible to use a server to call the API for you? If so, can you also apply restrictions to the call that the server makes?
  3. Is using compiled code for where you store the key an option? If so, is it possible to obfuscate it?

Here are my suggestions for different scenarios from experience:

The source is not included and using a server is an option, and restrictions can be applied, however using compiled code is not an argument

Then use a server to make requests. Let’s say you need to make a call to example.com/api/v1, and you want to call a specific function with a specific set of arguments, then you can only allow requests to that specific API, with that specific set of arguments, and that specific function. This way, it means nothing to a potential attacker since it only calls to one function and nothing else.

The source is not included, using a server is not an option, and compiled code is not an option either

Well, there’s not much you can do, obfuscation is your best shot. The best way to do something like this is to hide it deep within your code, and make it obscure, etc., etc., etc.,

The source is included, using a server is not an option, but you can use compiled code

Use really obfuscated assembly and don’t share the source for that if you can. For instance, you can have red herring instructions, and just like before, you should hide it deep in your code.

The source is not included, using a server is not an option, but you can use compiled code

For this it’s the same as above, since the source for the assembly wouldn’t be included

If I didn’t list your scenario here, then feel free to comment and I’ll edit my answer