On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI)
<mobiletabletsb...@gmail.com> wrote:
>
> As I said, I am new at this, so I did not see some of these issues before
> starting development. The points you make are quite valid, and I did not
> realize that python was distributed as source. That may sound obvious to
> many, but I am not a s/w person at all.
>
> I wonder how independant developers are making use of this API then? It
> confuses me greatly.
In my opinion, you should go to "best efforts"; and here are some
suggestions to try and keep the key (slightly) hidden:
1) non-free package
~~~~~~~~~~~~~~~~~~~
* Create a non-free (i.e. binary) package which contains your API
keys encrypted in some way (perhaps just XORing the values) and
a small C program which decrypts them.
* Create your Python package as normal, with a `Depends' on the
non-free package and call the small C program from within your
app.
It's not "real" security, but that should be OK. The biggest problem I
can see is that the C program would then be callable by any other
developer.
2) Retrieve keys at install time
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Create your Python package as normal, but ensure it does not
contain the keys.
* In your package's postinst you can be fairly sure there's a
network connection, so retrive the keys from a known URL.
* You could even have it so that the URL is a small little PHP
script which has a list of MD5s for the main Python file and
that this is sent as a query parameter. When a new version is
released you get the package from Extras and add the MD5 to
the PHP file. You could even XOR things with the MD5 sent so
that you get an extra layer of obscurity.
> FWIW - the application I made provides a simple UI so that a user
> can enter an airline, and flight number. The app then uses the
> flightstats.com API to search for the flight's current status.
> The app provides a list of airlines so that the user does not have
> to know the airline code.
Sounds excellent.
It's worth bearing in mind that almost every app using this API, on
every platform will be able to have the keys retrieved unless there is
an in-built security mechanism such as that being developed for Maemo
6. However, even then, distribution mechanisms could be the weakest
link.
At some point, flightstats.com will have have to trust a device
(whether N900, desktop, Nexus One or jailbroken iPhone) which could be
in a malicious user's hands.
Hope that helps,
Andrew
--
Andrew Flegg -- mailto:and...@bleb.org | http://www.bleb.org/
_______________________________________________
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers
