views:

33

answers:

1

What are the best practices for delivering an Adobe Air app that needs a private key in order to communicate with some online API?

Adobe Air apps seem like they are delivered to the user with full source code, so storing any keys within the source would be a really bad idea. I've read some suggestions saying to download the key from your server, but that has the same problem because the url allowing the download would have to be stored in source code. Also, suggestions saying to store in the encrypted local storage don't make sense to me either, because I still have to obtain the private key somehow.

A: 

I think this is a global problem of delivering secret keys in any application, since everything can be reverse-engineered (disasamble for executables, IL readers, etc.)

No matter what you do, if the client application needs to somehow "know" a secret key, then the user can know the secret key.

Assuming that:

  1. You deliver a product ("client application") which relys on some 3rd party web service ("the service").
  2. Your company has just one secret key ("company key") for using the service.
  3. The company key must never be exposed (due to possible abuse)
  4. Every piece of information held by or transmitted by the client application is exposed

A solution might be to use some proxy:

  1. The proxy implements the API of the service
  2. The client application connects to the proxy
  3. The proxy connects to the service using the company key
  4. The proxy delegates all calls from the client to the service and vice-versa
M.A. Hanin
Thanks very much. I had these thoughts too, but thought there might be some standard practice that I wasn't thinking about. And by adding security to the proxy, you ensure that your keys are only usable by authorized users. I found this related discussion on the Twitter API and how they are moving to only allowing OAuth: http://twitter.pbworks.com/oauth-desktop-discussion
Colin Mathews
Very true, the proxy itself should be protected. The main idea is that if you can't change the security scheme for the 3rd party service, then you "wrap" it with a proxy which implements the security scheme that you want to impose.
M.A. Hanin
Downvoters: care to explain yourselves?
M.A. Hanin