> > Unfortunately that raised the question of "Ok, so now where do we store > our key in the app, so that no one can pull it out and use it, except for > the app." >
No hope! If you distribute secret keys with the apps they can be found easily and you declare yourself an amateur. A friend of mine is a security consultant and he was asked/challenged by a company to "crack" their product if he could. He owned some powerful Intel disassembler product (I forget the name, it cost about $US800), ran it over the code, stepped over the C code that "unscrambled" the secret password and found it was a block of 64 0x65 bytes. He could even watch the C code XOR back and forth over the buffer and found it was even wasting its own time due to a bug which caused it to process bytes multiple redundant times. Corneliu, you told me years ago up at Wagga that you were doing this sort of thing, but I can't remember what tools or techniques you used. If it's not a state secret and you don't have to kill anyone you tell, what are your tricks? Cheers, Greg
