Securing oAuth Client Id and Secret
-
I have a desktop app that consumes a Google API. Right now the Client Id and Secret are defined as constant strings in plain text and built into the app.I'd like to secure them with encryption, but then I would have to store the key somewhere, which doesn't solve the problem. What's the best way to secure the Id and Secret? Thanks
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
I have a desktop app that consumes a Google API. Right now the Client Id and Secret are defined as constant strings in plain text and built into the app.I'd like to secure them with encryption, but then I would have to store the key somewhere, which doesn't solve the problem. What's the best way to secure the Id and Secret? Thanks
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
There is no absolute solution. Anywhere you get it from the code when running must still have it in memory which could be copied. Some possible variations. 1. Encrypt text in your code. But then of course the encryption key must be somewhere. But it does make it a bit harder to find the more useful (hackable) first one 2. Load it from a file. Installing into production means that the authorized users are only ones with access to the file. They put the value in the file. This can be combined with the first one so that the value in the file is still encrypted. In that case you do want the encryption key in the code and not the file. Because then they would need to figure out both to get to the uncrypted value.