Log in

View Full Version : API Key/Secret Encryption


hoffmcs
April 19th, 2010, 06:25 AM
Is there any way to hide or encrypt application credentials (api key/secret) in Boxee? It seems that every application source is available for all to see. Has anyone come up with any clever solutions to address this?

cuve
April 19th, 2010, 07:10 AM
Is there any way to hide or encrypt application credentials (api key/secret) in Boxee? It seems that every application source is available for all to see. Has anyone come up with any clever solutions to address this?

Afaik there's not really a solution.
If you encrypt your key, you'll have to decrypt it in your app before you can use it .. thus it's readable again.

DPK
April 19th, 2010, 07:54 AM
The most you can really do is be in control of the data you are pushing out and then somehow make it so there is a check on the server side that restricts serving content to user agents that only come from Boxee.

Outside of that there's not a real 100% secure method. There's going to be a pitfall somewhere.

StevenR
April 19th, 2010, 08:01 AM
One way around this limitation is to use a server-side language like PHP as a wrapper for API functions. The drawback is that you would need somewhere to host the PHP (or other language) files, but you do have more control over the use of the API functions. You also have the advantage that some API-related bug fixes for your application can be made in the server-side code without requiring users to update the application (apps in third-party repositories don't automatically update currently).

cuve
April 19th, 2010, 08:19 AM
One way around this limitation is to use a server-side language like PHP as a wrapper for API functions. The drawback is that you would need somewhere to host the PHP (or other language) files, but you do have more control over the use of the API functions. You also have the advantage that some API-related bug fixes for your application can be made in the server-side code without requiring users to update the application (apps in third-party repositories don't automatically update currently).

This is imo still not really a way around, "evil" users still can use your calls to the intermedia server right?
Ofcourse they might have less calls they can abuse, but still.

(Or do I misunderstand you?)

DPK
April 19th, 2010, 08:23 AM
One way around this limitation is to use a server-side language like PHP as a wrapper for API functions. The drawback is that you would need somewhere to host the PHP (or other language) files, but you do have more control over the use of the API functions. You also have the advantage that some API-related bug fixes for your application can be made in the server-side code without requiring users to update the application (apps in third-party repositories don't automatically update currently).

All well and good, but there's still the security issue. The user is basically wanting to restrict access to whatever data they're requesting to their app and their app alone.

agentlame
April 19th, 2010, 09:04 AM
I'm not sure if I'm misreading the question, but you could compile your Python. (Though, there are Python de-compilers.)

hoffmcs
April 20th, 2010, 09:15 AM
Compiling the python would only solve part of it but you still have the xml where you are going to need to make you python calls. It looks like with some of the core Boxee apps, like Pandora and Flickr, they do make all their calls with a server side wrapper of the api. Also, i see they use some method to obscure their api key in Pandora (http://developer.boxee.tv/App_Class#GetAuthenticationToken) but this method is "for internal use only".

Boxee really needs to develop a method to package channels. It is great for developers to see the source for all channels but there is a real problem with securing them in any way. I am fine providing all my source for the channel but not having a way to secure api keys and secrets is really a bummer since someone could hijack them and get your app banned from the service.

I really hope Boxee provides a way to do this.

BTW, if you did want to wrap the api calls, you can do so using Google App Engine for free (and dev in Python too). My problem with this method is it just puts in another point of failure and unnecessarily complicates development.