On Sun, Feb 7, 2010 at 7:08 PM, Sanjeev (EIPI) <mobiletabletsb...@gmail.com>wrote:
> > > On Sun, Feb 7, 2010 at 1:44 PM, David Greaves <da...@dgreaves.com> wrote: > >> Sanjeev (EIPI) wrote: >> > Thank you for the reply. To clarify this particular situation a bit >> > more... The API key is available only on a paid basis. For some novel or >> > new devices, a limited use (read: non-commercial) key is given to >> > developers that apply for one. So, a casual user is not able to obtain >> > their own API key. I have obtained one of these limited use keys for use >> > in my application. >> > >> > This is the reason why I was inquiring about how to protect the API key >> > within the application. >> >> (nb try not to top-post) >> >> This is not a licensing issue, it's a security issue. >> (Well, actually, you may contravene the api publisher's license since you >> probably can't avoid publishing your personal credentials to the world). >> >> In general if you distribute a binary containing credentials then the >> credentials can be extracted. You need a fairly complex security system to >> avoid >> this (eg Harmattan's upcoming DRM management which is the problem you're >> attempting to solve - and look how well that worked out so far). >> >> You have several obvious problems: >> * python is distributed as source - it's hard to obfuscate >> * the api key will almost certainly be clear in the source >> * if you encrypt the credentials then the decryption routine will be clear >> * if you obfuscate it (eg compile) then it has to be capable of being read >> by >> the CPU - or by a debugger. >> >> One solution is to use a proxy. Provide an 'open' service that your app >> calls >> and which then passes the request on to the paid service using credentials >> kept >> on the proxy. This is likely a breach of the terms-of-use license. >> >> As the problem is outlined I think you're out of luck - sorry. >> >> David >> >> -- >> "Don't worry, you'll be fine; I saw it work in a cartoon once..." >> > > > Thank you for the reply, David (and sorry for top-posting). As I said, I am new at this, so I did not see some of these issues before starting development. The points you make are quite valid, and I did not realize that python was distributed as source. That may sound obvious to many, but I am not a s/w person at all. I wonder how independant developers are making use of this API then? It confuses me greatly. FWIW - the application I made provides a simple UI so that a user can enter an airline, and flight number. The app then uses the flightstats.com API to search for the flight's current status. The app provides a list of airlines so that the user does not have to know the airline code. This data is available through their API on a paid basis. For simple widgets, they allow developers to use the API as long as they provide deep links back to their site (for advertising revenue). I am curious now how other application developers use the API key so that it is secure. Would C be a better choice? It sounds as though it may not, since you say that the API key can still be 'found out'.
_______________________________________________ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
