8

In my case I'm using the Dropbox API. Currently I'm storing the key and secret in a JSON file, just so that I can gitignore it and keep it out of the Github repo, but obviously that's no better than having it in the code from a security standpoint. There have been lots of questions about protecting/obfuscating Python before (usually for commercial reasons) and the answer is always "Don't, Python's not meant for that."

Thus, I'm not looking for a way of protecting the code but just a solution that will let me distribute my app without disclosing my API details.

hippietrail
  • 15,848
  • 18
  • 99
  • 158
lavelle
  • 1,446
  • 1
  • 17
  • 30
  • stuff them in an text file as encrypted values. Create a privately stored encryption key, decrypt when needed. There might be a better way though, but this way has worked for me well in the past. – Mike McMahon Apr 27 '12 at 19:46
  • 1
    If someone runs the program on their computer, and the program uses the key, it's practically disclosed. It doesn't take a genius to fire up WireShark, let the program connect, and filter the capture for connections to dropbox (or some other criterion - worst case you're digging through a few hundred packets). And merely obfuscating the program wouldn't buy you anything, as you can't change the string literal that the API key is, or it would be of no use to your program. –  Apr 27 '12 at 20:22
  • @delnan But would the API key be visible in the HTTP traffic? Dropbox do everything over SSL. I don't know if they use GET or POST variables or just put them in the headers of the HTTP request. Are those things encrypted in a HTTPS request, or just the body of the request? – lavelle Apr 29 '12 at 08:58
  • If it turns out you can't discover them by packet-sniffing then the only problem is the local copy of them and @Mike McMahon's idea of encrypting them sounds worth a try. – lavelle Apr 29 '12 at 09:00
  • I refuse to believe there's no way to protect them, otherwise the why do API keys exist? – lavelle Apr 29 '12 at 09:01
  • HTTPS indeed ought to rule out that part, sorry for the confusion. Still, the program got to have the plain text key in memory at some point, if only to send it (and have it encrypted by SSL). It may be harder, but a skilled attacker could still grab it there. People also keep beating DRM and copy protection. The primary way out is controlling all relevant parts, i.e. having a server. There are numerous *websites* that access e.g. the google maps API (presumably with an API key too), but I'm not aware of any desktop application that do that. –  Apr 29 '12 at 09:07
  • Yeah, I guess ultimately it's never going to be totally secure so the best you can hope for is making it so difficult that it's not worth the effort for the attacker. Obviously my program isn't a high profile target for an attack but this project is more about learning the concepts. – lavelle Apr 29 '12 at 09:35
  • My understanding is that the API keys exist to provide some application-level control to Dropbox (the company). But as several people have pointed out, there is absolutely no way to protect them. The "best" you can do is to obfuscate them. – Jeff May 15 '12 at 20:45
  • The issue seems to be the same than storing api keys for "client" python libraries. See [this answer](https://stackoverflow.com/a/60481009/7262247), I think that it applies equally. – smarie Mar 02 '20 at 00:12

3 Answers3

3

Plain text. Any obfuscation attempt is futile if the code gets distributed.

orlp
  • 112,504
  • 36
  • 218
  • 315
2

Don't know if this is feasible in your case. But you can access the API via a proxy that you host.

The requests from the Python APP go to the proxy and the proxy makes the requests to the Dropbox API and returns the response to the Python app. This way your api key will be at the proxy that you're hosting. The access to the proxy can be controlled by any means you prefer. (For example username and password )

Can't Tell
  • 12,714
  • 9
  • 63
  • 91
  • In general that's a good solution but in my case I chose to use Dropbox specifically because I have neither the resources nor the inclination to host my own server, I just wanted to focus on making the client. – lavelle Apr 28 '12 at 08:14
2

There are two ways depending on your scenario:

If you are developing a web application for end users, just host it in a way that your API key does not come to disclosure. So keeping it gitignored in a separate file and only upload it to your server should be fine (as long there is no breach to your server). Any obfuscation will not add any practical benefit, it will just give a false feeling of security.

If you are developing a framework/library for developers or a client application for end users, ask them to generate an API key on their own.

schlamar
  • 9,238
  • 3
  • 38
  • 76