On 2/8/10, Andrew Flegg <and...@bleb.org> wrote: > On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI) > <mobiletabletsb...@gmail.com> wrote: >> >> As I said, I am new at this, so I did not see some of these issues before >> starting development. The points you make are quite valid, and I did not >> realize that python was distributed as source. That may sound obvious to >> many, but I am not a s/w person at all. >> >> I wonder how independant developers are making use of this API then? It >> confuses me greatly. > > In my opinion, you should go to "best efforts"; and here are some > suggestions to try and keep the key (slightly) hidden: > > 1) non-free package > ~~~~~~~~~~~~~~~~~~~ > * Create a non-free (i.e. binary) package which contains your API > keys encrypted in some way (perhaps just XORing the values) and > a small C program which decrypts them. > > * Create your Python package as normal, with a `Depends' on the > non-free package and call the small C program from within your > app. > > It's not "real" security, but that should be OK. The biggest problem I > can see is that the C program would then be callable by any other > developer. > > 2) Retrieve keys at install time > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > * Create your Python package as normal, but ensure it does not > contain the keys. > > * In your package's postinst you can be fairly sure there's a > network connection, so retrive the keys from a known URL. > > * You could even have it so that the URL is a small little PHP > script which has a list of MD5s for the main Python file and > that this is sent as a query parameter. When a new version is > released you get the package from Extras and add the MD5 to > the PHP file. You could even XOR things with the MD5 sent so > that you get an extra layer of obscurity. > >> FWIW - the application I made provides a simple UI so that a user >> can enter an airline, and flight number. The app then uses the >> flightstats.com API to search for the flight's current status. >> The app provides a list of airlines so that the user does not have >> to know the airline code. > > Sounds excellent. > > It's worth bearing in mind that almost every app using this API, on > every platform will be able to have the keys retrieved unless there is > an in-built security mechanism such as that being developed for Maemo > 6. However, even then, distribution mechanisms could be the weakest > link. > > At some point, flightstats.com will have have to trust a device > (whether N900, desktop, Nexus One or jailbroken iPhone) which could be > in a malicious user's hands. > > Hope that helps, > > Andrew > > -- > Andrew Flegg -- mailto:and...@bleb.org | http://www.bleb.org/ >
Thank you for the ideas, Andrew. I will have to think about the best method that I can provide obscurity that is within my means at the moment. Retrieving the keys at install time sounds like a good candidate. I have packaging headaches right now that I need to resolvle. Once those are squared away, I ll tackle the key obscurity issue. Thanks again! Sanjeev -- EIPI Mobile Tablets! Blog: http://mobiletablets.blogspot.com _______________________________________________ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
