we're adding dropbox support our app, , have "app key" , "app secret" it. keep plain text in code, listed in sync api tutorial:
dbaccountmanager* accountmgr = [[dbaccountmanager alloc] initwithappkey:@"hf2hf892hf9y29h" secret:@"n29fh82h4f"]; (note: made key , secret, not our real one.)
but it'd super easy extract them app if wanted to. prevent that, add sort of basic encryption make keys harder find, keys still going used in call dropbox account manager @ point, there's no way keep them secure.
is worries about, or fact of life wants can go in , find out keys?
is worries about
any sane developer worries it. use form of encryption.
hint: attitude - when download app appstore requires form of login [insert arbitrary webservice here], decrypt binary , run otool or @ least strings on it. if has plaintext passwords/oauth keys/ssl keypairs etc. in it, trash immediately.
is fact of life wants can go in , find out keys?
practically, yes, keychain isn't secure ;-). is, however, not excuse not trying best if subject security of data and/or of users.
Comments
Post a Comment