Twitter's own handling of keys varies. For example: Twitter for iOS has the keys plaintext in the code. The iOS5 library actually doesn't store them as plaintext, but encrypts the consumer key the same way as the consumer secret, which still means it's easy because once you have the consumer key (packet sniffing?) you'll know how to get the secret. (Believe me, it's almost easier than that.)

Those are two examples of how NOT to do it.

I can give you these tips:
* Don't encode your consumer key or don't use the same algorithm as the secret. The consumer key is supposed to be non-secret information as it is also transmitted on the request. If you can get the decoded version of the consumer key and the encoded version of the consumer key, it's often easy to reverse-engineer the algorithm. * Write your encryption in a "safe" language. For example, Objective-C is *very* easy to use with a debugger. C++ however, is not. Write your hashing code in C++ (hashing code: getting the secret all the way up to doing the HMAC hash). Also try to avoid using system libraries for the HMAC: preferably implement it yourself. This will make it harder as the "attacker" won't know what to target.

Of course, these won't really work with opensource applications, as everyone can get the keys. If you distribute your application under a GPL license, there isn't much you can do, as you're forced to share the code (which include the keys).

There are currently two options for OS projects I can think of :
* Route all your requests via an application on your server (the TweetDeck way: just redirect api.tweetdeck.com to api.twitter.com but sign the requests with your key. However: this *will* cause issues with POST requests, so you'll have to handle those on your sever which may cause some heavy load)
 * Have your users register an application on dev.twitter.com/apps.

Tom


On 6/21/11 5:08 PM, Brian Remmington wrote:
What techniques are people using to keep their Twitter app's consumer
key and consumer secret, um, secret? What lengths are you going to to
make sure nasty people can't get at this information? I have a
particular problem in that I want my app to be open source - does
anyone have any experience of building open source apps that interact
with Twitter (or other services that use OAuth)? Thoughts?
Suggestions?


Brian


--
Twitter developer documentation and resources: https://dev.twitter.com/doc
API updates via Twitter: https://twitter.com/twitterapi
Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
https://groups.google.com/forum/#!forum/twitter-development-talk

Reply via email to