2020-02-12 14:40:49

hello,
How can I secure the API key of an external application for example: google translator that it will not be so easily reverse engineered by others? I am using C#.

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2020-02-12 14:47:55

I considered using AWS secret manager but here the circle continues, as I have to store my API key somnewhere

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2020-02-12 15:38:55 (edited by Ethin 2020-02-12 15:40:44)

Typically, API keys can be stored outside the app: environment variables, configuration files, on a remote server, etc. The key when storing API keys is to give them *only* the privileges they require. If you want to utilize AWS secrets manager, for example, but you only want to read secrets, only give the key read-only access to AWS secrets manager and nothing else. Store the API key in a place that your application can access but that is not known by an attacker. For ideas, see stack overflow questions like this one. The ultimate key with API keys is that you use the principal of least privilege: should an attacker acquire your key, the worst they can do is limited to the privileges you gave to that key. If you've given the key read only access to something, the key is useless to an attacker.
Here are some good rules for storing API credentials in particular, as written by OSU:

  • Do not embed API keys / secrets directly in code.

  • Do not store API keys / secrets in files inside your application, including the application’s source tree.

  • If you do accidentally commit an API key / secrets to version control, revoke it immediately and generate a new one.

  • Ensure API keys / secrets do not appear in URLs or anywhere that can be captured in web server logs.

  • Review your code carefully and ensure it doesn’t contain API keys / secrets or any other private information before publicly releasing it.

  • Put the configuration file containing the API keys / secrets in the revision control ignore (ex. .gitignore). This prevents committing them by mistake in the future.

  • Restrict your API keys / secrets to be used by only the IP addresses, referrer URLs, and apps that need them.

  • Don't share your API keys / secrets with different applications. If more than one application uses the same API, register each application to get a new set of API keys / secrets.

  • Delete unneeded API keys / secrets.

  • Update (Regenerate) your API keys / secrets periodically.

I know this wasn't very helpful, but this question is very difficult to answer because it depends very heavily on your use case.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2020-02-12 17:12:13

I understand. I will try and find a good way, it's just not fun when I pay for something and someone stillls it because I was stupid haha./ I do ddevelop for desktop mainly so I am looking for a solution that will fit that particular use case.

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2020-02-12 19:18:27

@4, I know. That's why you rotate your API keys regularly and restrict privileges to only allow what your using at the time the key is generated. That prevents people from doing much harm should they gain access to it.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2020-02-12 19:28:33

Thank you. I will take that to account. Hope I will find sometyhing out

Raduvay se, raduvay
Raduvay se domaki ne
Kolko liste po gorach
Tolko zdrave na taz kyshcha

2020-02-17 21:32:44

This isn't possible to do.  Why?  Because for most systems you eventually have to send the API key over the network.  if I want your API keys I'll just get out one of a various number of things that let me intercept network traffic and have it in all of 5 minutes.  If the API key is rate limited such that overuse will get you banned, or pay per call like almost anything on the major cloud providers, don't distribute it to client machines.

Your solution is to write a server that sits between your software and the thing that your software wants to use, make users sign into that, and have it make the calls.  Some systems will also provide per-user API key functionality (i.e. Twitter), which can make this easier because they're essentially providing the server instead of you.

Sometimes you don't have to send the API key in the request (i.e. Google Cloud serviceaccount signing) but you still have to store it somewhere on the system, and that's only going to be in one of so many places.  This is called the trusted client problem, and is unsolvable in the general case.  You might be able to look at using Intel TPM for it, but I don't think you can make I/O requests from inside the enclave, so all you'd be able to use it with is stuff that lets you sign requests before sending them.  And, you may not have access to that from C#; I believe it requires writing custom assembly or getting a C/C++ compiler to spit out special binaries.

My Blog
Twitter: @camlorn38