Hi all
I’m using twitter in my app and I have to enter my twitter account’s consumer key and secret key in the main block of code.
Where’s the safest place to keep this very sensitive data in Corona, so hackers don’t hijack my twitter account?
Thanks.
first: accept that someone “determined enough” could get at them no matter what you do (assuming they’re in your app *somewhere*)
having said that, unless you’ve got the next “Candy Crush” on your hands, it’s unlikely that anyone would bother with anything more than a quick attempt. so as long as you don’t store your keys as plain text you’d probably foil any such “casual attempt” at hacking.
how to not use plain text? your call, ranging from simple “break up the string and store substrings in varied (distant) places, some backwards, some not, some as raw character codes, etc, reassemble at run-time” (iow, simple “obfuscation”), to a DIY caesar cypher, or an xor cypher with the bit plugin, or strong encryption w openssl plugin (w its potential distribution problems). or take them out of your app entirely with a server-side facades/proxies to do the actual calls while hiding the account details (tho then you’d want to authenticate the caller, a similar problem, in case they instead hack at your proxy), etc. all boils down to how paranoid you want/need to be.
fwiw, hth
Thanks Dave
I will mix up them up and reassemble them at run-time like you suggest, I’m not that paranoid I just don’t want the secret keys simply sitting there in plain sight that’s all.
Cheers.
Corona SDK converts the .lua files to byte code, so your keys won’t be obvious clear text. If you’re really paranoid, you should encrypt them using our crypto library.
Rob
Thanks for the heads up Rob.
just a further heads up:
strings are plainly visible in lua byte code (just dump resource.car into a text editor, see for yourself)
crypto doesn’t actually encrypt (just computes hashes/digests)
you’d need openssl to actually encrypt (or some lesser DIY cypher)
not my place to suggest if you should or shouldn’t be paranoid, but assuming you are, you’d need to do something more.
first: accept that someone “determined enough” could get at them no matter what you do (assuming they’re in your app *somewhere*)
having said that, unless you’ve got the next “Candy Crush” on your hands, it’s unlikely that anyone would bother with anything more than a quick attempt. so as long as you don’t store your keys as plain text you’d probably foil any such “casual attempt” at hacking.
how to not use plain text? your call, ranging from simple “break up the string and store substrings in varied (distant) places, some backwards, some not, some as raw character codes, etc, reassemble at run-time” (iow, simple “obfuscation”), to a DIY caesar cypher, or an xor cypher with the bit plugin, or strong encryption w openssl plugin (w its potential distribution problems). or take them out of your app entirely with a server-side facades/proxies to do the actual calls while hiding the account details (tho then you’d want to authenticate the caller, a similar problem, in case they instead hack at your proxy), etc. all boils down to how paranoid you want/need to be.
fwiw, hth
Thanks Dave
I will mix up them up and reassemble them at run-time like you suggest, I’m not that paranoid I just don’t want the secret keys simply sitting there in plain sight that’s all.
Cheers.
Corona SDK converts the .lua files to byte code, so your keys won’t be obvious clear text. If you’re really paranoid, you should encrypt them using our crypto library.
Rob
Thanks for the heads up Rob.
just a further heads up:
strings are plainly visible in lua byte code (just dump resource.car into a text editor, see for yourself)
crypto doesn’t actually encrypt (just computes hashes/digests)
you’d need openssl to actually encrypt (or some lesser DIY cypher)
not my place to suggest if you should or shouldn’t be paranoid, but assuming you are, you’d need to do something more.