[maemo-developers] [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

[From: David Greaves]

Sanjeev (EIPI) wrote:
> Thank you for the reply. To clarify this particular situation a bit
> more... The API key is available only on a paid basis. For some novel or
> new devices, a limited use (read: non-commercial) key is given to
> developers that apply for one. So, a casual user is not able to obtain
> their own API key. I have obtained one of these limited use keys for use
> in my application.
> 
> This is the reason why I was inquiring about how to protect the API key
> within the application.

(nb try not to top-post)

This is not a licensing issue, it's a security issue.
(Well, actually, you may contravene the api publisher's license since you
probably can't avoid publishing your personal credentials to the world).

In general if you distribute a binary containing credentials then the
credentials can be extracted. You need a fairly complex security system to avoid
this (eg Harmattan's upcoming DRM management which is the problem you're
attempting to solve - and look how well that worked out so far).

You have several obvious problems:
* python is distributed as source - it's hard to obfuscate
* the api key will almost certainly be clear in the source
* if you encrypt the credentials then the decryption routine will be clear
* if you obfuscate it (eg compile) then it has to be capable of being read by
the CPU - or by a debugger.

One solution is to use a proxy. Provide an 'open' service that your app calls
and which then passes the request on to the paid service using credentials kept
on the proxy. This is likely a breach of the terms-of-use license.

As the problem is outlined I think you're out of luck - sorry.

David

-- 
"Don't worry, you'll be fine; I saw it work in a cartoon once..."