I am developing an open source desktop Twitter client. I want to take advantage of the new xAuth authentication method, though my app is open source which means that if I put the keys directly in the source file, this can be a vulnerability (am I right? Twitter support person told me ).
On the other hand, it is not understandable even by putting the key directly into binary. I am writing my application in Ajnathan, so if I only supply PYC files, then it is another seconds to get the notation, due to the excellent reflection capabilities of Python. If I make a small file with the keys, then it is trivial to obtain the key by looking at the raw binary (the length of the keys and the character set fixed).
What is your opinion? Is it really a securitarian hole to expose the API key?
security holes? In broad terms, yes actually, however, these are not nuclear projection codes, which we are talking about.
The worst thing is that someone can take keys from their app to do something against Twitter Ace and that keys will be restricted. No user data will be weak because you are not sharing user tokens (it will be very bad for security purposes). Since no person can register an app at any cost in 2 seconds, the only reason for this kind of impersonation is to specifically avoid the reputation of you or your app.
One thing you can do is leave them out of the source code but it clarifies that to get the keys from the user's source to get their keys and keep it in proper place, Leave them in binary versions that you distribute. 100% is not safe, but it makes it a little harder, which will prevent a certain number of NAR-Doo-wells.
Comments
Post a Comment