[maemo-developers] [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

[From: Sanjeev (EIPI)]

On Sun, Feb 7, 2010 at 7:08 PM, Sanjeev (EIPI)
<mobiletabletsblog at gmail.com>wrote:

>
>
> On Sun, Feb 7, 2010 at 1:44 PM, David Greaves <david at dgreaves.com> wrote:
>
>> Sanjeev (EIPI) wrote:
>> > Thank you for the reply. To clarify this particular situation a bit
>> > more... The API key is available only on a paid basis. For some novel or
>> > new devices, a limited use (read: non-commercial) key is given to
>> > developers that apply for one. So, a casual user is not able to obtain
>> > their own API key. I have obtained one of these limited use keys for use
>> > in my application.
>> >
>> > This is the reason why I was inquiring about how to protect the API key
>> > within the application.
>>
>> (nb try not to top-post)
>>
>> This is not a licensing issue, it's a security issue.
>> (Well, actually, you may contravene the api publisher's license since you
>> probably can't avoid publishing your personal credentials to the world).
>>
>> In general if you distribute a binary containing credentials then the
>> credentials can be extracted. You need a fairly complex security system to
>> avoid
>> this (eg Harmattan's upcoming DRM management which is the problem you're
>> attempting to solve - and look how well that worked out so far).
>>
>> You have several obvious problems:
>> * python is distributed as source - it's hard to obfuscate
>> * the api key will almost certainly be clear in the source
>> * if you encrypt the credentials then the decryption routine will be clear
>> * if you obfuscate it (eg compile) then it has to be capable of being read
>> by
>> the CPU - or by a debugger.
>>
>> One solution is to use a proxy. Provide an 'open' service that your app
>> calls
>> and which then passes the request on to the paid service using credentials
>> kept
>> on the proxy. This is likely a breach of the terms-of-use license.
>>
>> As the problem is outlined I think you're out of luck - sorry.
>>
>> David
>>
>> --
>> "Don't worry, you'll be fine; I saw it work in a cartoon once..."
>>
>
>
>
Thank you for the reply, David (and sorry for top-posting).

As I said, I am new at this, so I did not see some of these issues before
starting development.  The points you make are quite valid, and I did not
realize that python was distributed as source.  That may sound obvious to
many, but I am not a s/w person at all.

I wonder how independant developers are making use of this API then?  It
confuses me greatly.

FWIW - the application I made provides a simple UI so that a user can enter
an airline, and flight number.  The app then uses the flightstats.com API to
search for the flight's current status.  The app provides a list of airlines
so that the user does not have to know the airline code.

This data is available through their API on a paid basis.  For simple
widgets, they allow developers to use the API as long as they provide deep
links back to their site (for advertising revenue).  I am curious now how
other application developers use the API key so that it is secure.

Would C be a better choice?  It sounds as though it may not, since you say
that the API key can still be 'found out'.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.maemo.org/pipermail/maemo-developers/attachments/20100207/fbbbe17d/attachment.htm>