On Jan 18, 11:32 am, John Meyer <john.l.me...@gmail.com> wrote:
> On 1/18/2010 12:22 PM, ryan alford wrote:
>
> > There is a difference between giving your application to others to
> > install and use, and others downloading your code for their own
> > applications.
>
> > If a user is installing your application to use, then your code would
> > include your consumer key.

Just the consumer key, or both the consumer key and consumer secret?

>
> > If a user is downloading your open source code to use for their own app,
> > then they need to get their own consumer key to relate to their app.
>
> > Ryan
>
> An addendum.
>
> If you were seriously concerned about others grabbing those codes you
> could specify that the app fetches those keys from an ftp server or some
> sort of web service that you ran.  But I would guess that this would be
> a bit more paranoid than what you are trying to prevent.

The "paranoia" is directly from Twitter's "Security Best Practices"
http://apiwiki.twitter.com/Security-Best-Practices:

"Don't store passwords. Just store OAuth tokens. Please."

"As aforementioned, for optimal security you should be using OAuth.
But once you have a token with which to make requests on behalf of a
user, where do you put it? Ideally, in an encrypted store managed by
your operating system. On Mac OS X, this would be the Keychain. In the
GNOME desktop environment, there's the Keyring. In the KDE desktop
environment, there's KWallet."

As an aside, 90% of the desktops/laptops out there run Windows. I'd
hope that the Security Best Practices document would include a little
more on dealing with Windows desktops than a link to the MSDN Security
Developer Center. ;-)

I think the FTP server idea is a good one - it gives me a log file of
everyone who's obtained the consumer key and secret for Ed's Wonderful
Desktop App, so when someone fires up a debugger, runs my app, grabs
all the authentication codes and uses them to do a DOS attack on
Twitter and gets my app blacklisted, I'll have a list of people for my
attorney to call and depose. ;-)

--
M. Edward (Ed) Borasky
http://borasky-research.net/smart-at-znmeb

"A mathematician is a device for turning coffee into theorems." ~ Paul
Erdős

Reply via email to