5

While developing an desktop application that needs to access twitter API , one must somehow pass the API key (application specific consumer key and consumer secret ) for the application to the user. Twitter's API TOS states that the application's API key cannot be publicly available and if that happens, they reset it. When that application is under GPL , meaning the developer needs to provide the source code to the user, how that user would be able to obtain the API key without it being publicly available ? Is there a standard way to handle this issue ? Thanks.

Edit: To clarify the situation, I was storing them in plain text in my code for cree.py so far as a conscious decision. But yesterday Twitter support team contacted me that they have reseted my key and their reasoning was the following :

C. You should not solicit another developer's consumer keys or consumer secrets especially if they will be stored or used for actions outside of that developer's control. Keys and secrets that are compromised will be reset by Twitter. For example, online services that ask for these values in order to provide a "tweet-branding" service are not allowed. https://dev.twitter.com/terms/api-terms If an application's keys are posted publicly, it allows for external parties to hijack the application's API access. This presents an enormous abuse risk, and as such we've reset your API keys. Please take care to ensure that these keys are not posted publicly again.

Thanks, Twitter API Policy

SamB
  • 9,039
  • 5
  • 49
  • 56
Yiannis Kakavas
  • 597
  • 3
  • 9
  • Well if twitter insists on protecting you, you'll have to break cree.py in two, one part being a proxy server maintained by you and you only through which every cree.py variant asks twitter. Otherwise, you should have each one who wants to use cree.py have their set of keys – adamo Oct 07 '11 at 12:38
  • Well they were pretty absolute about the "honor system" breaking their TOS. I guess their API, their rules. Proxying all requests would be cumbersome , I guess I could just set up a server feeding the application API key on first run to each client. But there are enough GPL desktop applications that access twitter API ( i.e. twitter clients ) so I am looking for thoughts on the "standard" procedure. – Yiannis Kakavas Oct 07 '11 at 12:55

3 Answers3

1

I might be dense here, but why don't you store them in a configuration file, the Windows registry etc and get them from there? Then distribute the application without the file, and you're done.

reiniero
  • 428
  • 6
  • 14
  • The problem with this plan is that it requires every user to go get their own API key. Which they're probably not going to want to do. It's a reasonable solution if you're writing a library that you expect other users to configure themselves, but not so great if you expect the vast majority of your users to want to just download the binaries and run them. – me_and Jun 15 '12 at 10:53
  • You can adapt your application to let your use get their access_token and access_token_secret once (e.g. using OOB/PIN authentication) then store the credentials. From there on (and when restarting the application), they're authenticated. – reiniero Jun 16 '12 at 09:00
  • What @me_and meant wih API key is the consumer key and consumer secret, not the access token and secret. As you say, the access token and secret are handled via OOB/PIN authentication on first run. This is not a problem. However, this question is about how to distribute and store the consumer key and consumer secret in desktop applications. – Yiannis Kakavas Jun 20 '12 at 08:21
  • Ok. I understand why you see that as a problem. I also understand why Twitter would like separate consumer keys/secrets. The application could e.g. open a browser to https://twitter.com/settings/applications and save the consumer key/secret... See your point though. – reiniero Jun 20 '12 at 16:49
1

Well, TTYtter evidently uses the honour system:

# yes, this is plaintext. obfuscation would be ludicrously easy to crack,
# and there is no way to hide them effectively or fully in a Perl script.
# so be a good neighbour and leave this the fark alone, okay? stealing
# credentials is mean and inconvenient to users. this is blessed by
# arrangement with Twitter. don't be a d*ck. thanks for your cooperation.
$oauthkey = (!length($oauthkey) || $oauthkey eq 'X') ?
        "XXXXXXXXXXXXXXXXXXXXX" : $oauthkey;
$oauthsecret = (!length($oauthsecret) || $oauthsecret eq 'X') ?
        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" : $oauthsecret;

(I have replaced the actual keys with Xs, to make it a little less likely that anyone will go to the trouble to abuse them, but rest assured that they are present in full in the actual source!)

Also, I don't see anything in the Rules of the Road actually requiring you to keep these things secret: the closest thing I see is the statement "Keys and secrets that are compromised will be reset by Twitter."; they never actually say what "compromised" means, though.

SamB
  • 9,039
  • 5
  • 49
  • 56
  • I updated the question to further clarify. I was using the honor system for 7 months now and it was working, but yesterday twitter API support decided that it should "protect" me and reseted my keys. – Yiannis Kakavas Oct 07 '11 at 12:32
  • As of today (long time, yes), TTYtter no longer stores the keys in plaintext. Their homepage shows an example of how each user sets his/her own key: "Request from https://api.twitter.com/oauth/request_token .... SUCCEEDED!" – Shadi Feb 12 '20 at 15:17
0

Maybe another solution would be to use a server, the server interacts with the twitter api, and the you request information to your server with your desktop application

Like that, the API key is only stored on the server, and not any user can get it.

konfiot
  • 1