|
-
Sep 23rd, 2024, 09:29 AM
#1
Thread Starter
Frenzied Member
Obfuscating a string in my code
I have an API token string hard-coded in my program that is used to access a REST API. I would like to obfuscate this string somehow, so that if somebody decompiles my program, they wont be able to see the actual string. Are there any suitable methods of doing this? Thanks...
-
Sep 23rd, 2024, 09:39 AM
#2
Re: Obfuscating a string in my code
No, if someone decompiles your application then they will also see your routine to "deobfuscate" your string.
It will only protect the string when viewing the bytes of your application with a hex viewer.
-
Sep 23rd, 2024, 10:01 AM
#3
Re: Obfuscating a string in my code
To some extent, it depends on how smart/persistent those who might do something nefarious with the string are. What Arnoutdv stated is true enough, but it requires the person you are attempting to thwart to be able to decompile, and smart enough to make sense of what they see. That's a low bar, to be sure, but it kind of comes down to whether or not you are locking a vault holding jewels or a tin holding a gumdrop.
Authenticating callers to a web service is not a trivial task, but how much effort is warranted is up to you. I know of a few REST APIs where you need to request (not via the service) an ID, which is a GUID, then pass the ID along with any call. This only works if there are a small number of valid users of the service (or else managing IDs becomes a serious chore), and whatever is behind the API is not so sensitive that a bad actor would be motivated to steal one of the IDs. For lots of users, or sensitive data, something more like OAuth would be required. Using a hard coded string would be weaker than either of those options, so whatever you were securing had better not be of much value.
My usual boring signature: Nothing
 
-
Sep 23rd, 2024, 10:18 AM
#4
Re: Obfuscating a string in my code
If you're using a service that supports the SecureString (documentation), this is what I would recommend:
- Add the password as an application scoped setting
- In the application startup create a new instance of a secure string
- Loop over every character in the setting to append it to the secure string
- Call the MakeReadOnly method (documentation)
- Assign the secure string instance to an app level variable
- Reference the secure string when making the API request
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|