[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Safely storing an application's API keys
From: Nicolás_Alvarez <nicolas.alvarez () gmail ! com>
Date: 2021-01-18 14:54:37
Message-ID: 97383F22-5975-4447-8428-A77FC7A77FC0 () gmail ! com
[Download RAW message or body]
> El 18 ene. 2021, a la(s) 08:22, Jean-Baptiste Mardelle <jb@kdenlive.org> escribió:
>
> Hi all,
>
> For Kdenlive, we are planning to expand the use of online services to download
> ambiance music or videos for use in personal projects. To this purpose, most
> online services provide us an API key that is used to identify our app
> (Kdenlive) when querying their API.
>
> Does anyone have experience / advice on how to protect these API keys so that
> they are not publicly available ? Is there any KDE online service or framework
> helping to achieve that ?
>
> Thanks in advance for your help,
>
> Jean-Baptiste Mardelle
Protecting an API key on a locally-running application is impossible even for a \
closed source app. It's equivalent to the impossible task DRM intends to achieve \
(hiding the content decryption key from the user while decrypting content on their \
computer). If you give the application to the user, as opposed to running everything \
in a server, the key *will* be publicly available.
https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016
--
Nicolas
[Attachment #3 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div dir="ltr"><br></div><div \
dir="ltr"><blockquote type="cite">El 18 ene. 2021, a la(s) 08:22, Jean-Baptiste \
Mardelle <jb@kdenlive.org> escribió:<br><br></blockquote></div><blockquote \
type="cite"><div dir="ltr"><span>Hi all,</span><br><span></span><br><span>For \
Kdenlive, we are planning to expand the use of online services to download \
</span><br><span>ambiance music or videos for use in personal projects. To this \
purpose, most </span><br><span>online services provide us an API key that is used to \
identify our app </span><br><span>(Kdenlive) when querying their \
API.</span><br><span></span><br><span>Does anyone have experience / advice on how to \
protect these API keys so that </span><br><span>they are not publicly available ? Is \
there any KDE online service or framework </span><br><span>helping to achieve that \
?</span><br><span></span><br><span>Thanks in advance for your \
help,</span><br><span></span><br><span>Jean-Baptiste \
Mardelle</span><br></div></blockquote><br><div>Protecting an API key on a \
locally-running application is impossible even for a closed source app. It's \
equivalent to the impossible task DRM intends to achieve (hiding the content \
decryption key from the user while decrypting content on their computer). If you give \
the application to the user, as opposed to running everything in a server, the key \
*will* be publicly available.</div><div><br></div><div><a \
href="https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpass \
wordrequester.cpp#0016">https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resour \
ces/imap/gmailpasswordrequester.cpp#0016</a></div><div><br></div><div>-- </div><div>Nicolas</div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic