Securing API Keys

Getting Started Newbie Questions
#1

How do I secure the API keys in my app,

for example if I use oneSignal, I have to include my API key in the init function,

so if someone was able to uncompile the scripts he then could retrieve the api key and misuse it,

so is there a way to make these keys inaccessible ? 

#2

I use a basic substitution cipher moduleto re-code things I want a little more secure.

This isn’t awesome, but it is one more step the hacker would have to overcome.

Also, remember, un-compiled scripts are very hard to read, so a little bit of additional obfuscation goes a long ways.

#3

But that still won’t solve the problem, and it won’t be hard for the hacker to overcome it at all…

What does big apps do to secure their api keys ?

There are many apps that are easily decompiled using tools like JaDX, CFR, and others, > what do these apps do to secure their API keys ?

#4

They don’t store API keys as strings in an app.  Load them dynamically at run time from a server somewhere and use HTTPS.  This does mean your game is going to require an internet connection.

An offline option is to use OpenSSL - read more here

#5

I actually wanted offline option, but that still didn’t block the hacker from getting the API Key, he would just get the text to be decrypted and then would get the key and decrypt it himself…

#6

OK simple question… why would some want to hack your push notifications exactly?

#7

That’s a normal question am asking, how to secure my api keys, these are private keys that should not be exposed to the public for a reason,

maybe someone wants to mess with my app,

maybe someone wants to use a paid service for free through my api key,

maybe someone wants to mess with my app’s users,

and so on…

#8

I use a basic substitution cipher moduleto re-code things I want a little more secure.

This isn’t awesome, but it is one more step the hacker would have to overcome.

Also, remember, un-compiled scripts are very hard to read, so a little bit of additional obfuscation goes a long ways.

#9

But that still won’t solve the problem, and it won’t be hard for the hacker to overcome it at all…

What does big apps do to secure their api keys ?

There are many apps that are easily decompiled using tools like JaDX, CFR, and others, > what do these apps do to secure their API keys ?

#10

They don’t store API keys as strings in an app.  Load them dynamically at run time from a server somewhere and use HTTPS.  This does mean your game is going to require an internet connection.

An offline option is to use OpenSSL - read more here

#11

I actually wanted offline option, but that still didn’t block the hacker from getting the API Key, he would just get the text to be decrypted and then would get the key and decrypt it himself…

#12

OK simple question… why would some want to hack your push notifications exactly?

#13

That’s a normal question am asking, how to secure my api keys, these are private keys that should not be exposed to the public for a reason,

maybe someone wants to mess with my app,

maybe someone wants to use a paid service for free through my api key,

maybe someone wants to mess with my app’s users,

and so on…