On Sat, 12 Jun 2010 09:48:15 -0700 Zac Bowling <zbowl...@gmail.com> wrote:
> Yes, that is a problem with any app that you distribute that has any > embedded keys. Unfortunately, you ultimately can't really entirely > secure anything you ship that a user can run on their own machine. > You can however take a few steps to make that extremely difficult by > encrypting and obfuscating your consumer keys/secrets in your app > package before you distribute. Nothing is impossible to reverse > engineer if you can get your hands on it (look at iTunes), but you > can make it take so long and be so hard that it becomes to hard and > almost everyone gives up (look at iTunes 9). An important question: secure against what? Against posting tweets when the user is not who they say they are? You can't secure against that. Desktop machines are left unattended. Mobile phones are borrowed and stolen. Sure you can make it harder to just grab the key/secret pair of open source application A and implement application B, pretending to be A. But what does that buy you? What does that protect against? -- Bernd Stramm <bernd.str...@gmail.com>
