如何在应用程序的二进制文件中存储秘密 API 密钥? [英] How to store a secret API key in an application's binary?

问题描述

我正在为 Mac OS X 创建一个 Twitter 客户端，并且我有一个消费者机密.据我所知，我不应该分享这个秘密密钥.问题是，当我将它作为字符串文字放入我的应用程序并使用它时，就像这样:

I am creating a Twitter client for Mac OS X and I have a Consumer secret. It's to my understanding I should not share this secret key. The problem is that when I put it as a string literal into my application and use it, like this:

#define QQTwitterConsumerSecret @"MYSECRETYOUMAYNOTKNOW"

[[QQTwitterEngine alloc] initWithConsumerKey:QQTwitterConsumerKey consumerSecret:QQTwitterConsumerSecret];

它位于我的应用程序二进制文件的数据部分.黑客可以阅读此内容、反汇编应用程序等.

It is in the data section of my application's binary. Hackers can read this, disassemble the application, etcetera.

是否有任何安全的方式来存储消费者的秘密?我应该加密吗?

Is there any safe way of storing the Consumer secret? Should I encrypt it?

推荐答案

没有真正完美的解决方案.无论你做什么，都会有人专心致志地窃取它.

There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it.

甚至适用于 iPhone/iPad/Android/mac/等的 Twitter.里面有一个秘密钥匙，他们很可能只是以某种方式隐藏了它.

Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they've likely just obscured it somehow.

例如，您可以将其分解为不同的文件或字符串等.

For example, you could break it up into different files or strings, etc.

注意:使用十六进制编辑器，您可以读取二进制文件中的 ascii 字符串，这是最简单的方法.通过将其分解为不同的部分或使用函数调用来创建密钥通常会使该过程变得更加困难.

Note: Using a hex editor you can read ascii strings in a binary, which is the easiest way. By breaking it up into different pieces or using function calls to create the secret key usually works to make that process more difficult.

这篇关于如何在应用程序的二进制文件中存储秘密 API 密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！