tags:

views:

33

answers:

1
+1  Q: 

How To Protect Sensitive Keys in Adobe Air Apps?

What are the best practices for delivering an Adobe Air app that needs a private key in order to communicate with some online API?

Adobe Air apps seem like they are delivered to the user with full source code, so storing any keys within the source would be a really bad idea. I've read some suggestions saying to download the key from your server, but that has the same problem because the url allowing the download would have to be stored in source code. Also, suggestions saying to store in the encrypted local storage don't make sense to me either, because I still have to obtain the private key somehow.

A: 

I think this is a global problem of delivering secret keys in any application, since everything can be reverse-engineered (disasamble for executables, IL readers, etc.)

No matter what you do, if the client application needs to somehow "know" a secret key, then the user can know the secret key.

Assuming that:

  1. You deliver a product ("client application") which relys on some 3rd party web service ("the service").
  2. Your company has just one secret key ("company key") for using the service.
  3. The company key must never be exposed (due to possible abuse)
  4. Every piece of information held by or transmitted by the client application is exposed

A solution might be to use some proxy:

  1. The proxy implements the API of the service
  2. The client application connects to the proxy
  3. The proxy connects to the service using the company key
  4. The proxy delegates all calls from the client to the service and vice-versa
M.A. Hanin  2010-04-23 14:07:05
Thanks very much. I had these thoughts too, but thought there might be some standard practice that I wasn't thinking about. And by adding security to the proxy, you ensure that your keys are only usable by authorized users. I found this related discussion on the Twitter API and how they are moving to only allowing OAuth: http://twitter.pbworks.com/oauth-desktop-discussion
Colin Mathews  2010-04-23 14:54:41
Very true, the proxy itself should be protected. The main idea is that if you can't change the security scheme for the 3rd party service, then you "wrap" it with a proxy which implements the security scheme that you want to impose.
M.A. Hanin  2010-04-23 14:57:07
Downvoters: care to explain yourselves?
M.A. Hanin  2010-04-27 08:20:53

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security