How to preserve sensitive information in Client-Side-Binary?

Question

I look forward to develop an Android / iPhone application, those will be using a private API (Non-Free) with embedded client-key.

Now, since it is possible to reverse-engineer application binaries and scrap out strings. I am worried of losing my client-key and there by exposing the private API to the attacker.

How to manage this ? Can you provide links to articles discussing such situations ?

Considering I have development access to the private API, what mechanism can I built in to that to preserve the privacy of the whole system.

Answer 1

It will always be possible to use the private API if you have access to your applications code (see this thread as well). You can make it harder, though. And you can restrict the use of the API with the following options

1) if it's not "your" API, don't put the key into the app but into a server you are running to serve as proxy for the foreign service (you probably still want another key for your server to go into the app then)

2) encrypt/scramble the key so it is not grabbed easily:

• simple example for scrambling: put the key into a file; generate a random file of same length; xor the key file with the random file (and write it to disk again); whenever you need the key read both files and xor them again (any reversable operation instead of xor will do - more complex operation, spread over your code will make it harder for the reverse engineer)
• encrypt your key using a passphrase spread over you app (on deployment android apps are obfuscated anyways, so finding it gets a bit harder)

3) if it's your service or you have a proxy set up, restrict the number of uses per client/IP or offer only parts of the service over your proxy

Note, option 1 may even be required if you have a contract which forbids to make your key public.