<br><br><div class="gmail_quote">On Sun, Feb 7, 2010 at 7:08 PM, Sanjeev (EIPI) <span dir="ltr"><<a href="mailto:mobiletabletsblog@gmail.com">mobiletabletsblog@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5"><br><br><div class="gmail_quote">On Sun, Feb 7, 2010 at 1:44 PM, David Greaves <span dir="ltr"><<a href="mailto:david@dgreaves.com" target="_blank">david@dgreaves.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Sanjeev (EIPI) wrote:<br>
> Thank you for the reply. To clarify this particular situation a bit<br>
> more... The API key is available only on a paid basis. For some novel or<br>
> new devices, a limited use (read: non-commercial) key is given to<br>
> developers that apply for one. So, a casual user is not able to obtain<br>
> their own API key. I have obtained one of these limited use keys for use<br>
> in my application.<br>
><br>
> This is the reason why I was inquiring about how to protect the API key<br>
> within the application.<br>
<br>
</div>(nb try not to top-post)<br>
<br>
This is not a licensing issue, it's a security issue.<br>
(Well, actually, you may contravene the api publisher's license since you<br>
probably can't avoid publishing your personal credentials to the world).<br>
<br>
In general if you distribute a binary containing credentials then the<br>
credentials can be extracted. You need a fairly complex security system to avoid<br>
this (eg Harmattan's upcoming DRM management which is the problem you're<br>
attempting to solve - and look how well that worked out so far).<br>
<br>
You have several obvious problems:<br>
* python is distributed as source - it's hard to obfuscate<br>
* the api key will almost certainly be clear in the source<br>
* if you encrypt the credentials then the decryption routine will be clear<br>
* if you obfuscate it (eg compile) then it has to be capable of being read by<br>
the CPU - or by a debugger.<br>
<br>
One solution is to use a proxy. Provide an 'open' service that your app calls<br>
and which then passes the request on to the paid service using credentials kept<br>
on the proxy. This is likely a breach of the terms-of-use license.<br>
<br>
As the problem is outlined I think you're out of luck - sorry.<br>
<br>
David<br>
<font color="#888888"><br>
--<br>
"Don't worry, you'll be fine; I saw it work in a cartoon once..."<br>
</font></blockquote></div><br></div></div><br>
</blockquote></div><br>Thank you for the reply, David (and sorry for top-posting).<br><br>As I
said, I am new at this, so I did not see some of these issues before
starting development. The points you make are quite valid, and I did
not realize that python was distributed as source. That may sound
obvious to many, but I am not a s/w person at all. <br>
<br>I wonder how independant developers are making use of this API then? It confuses me greatly. <br><br>FWIW
- the application I made provides a simple UI so that a user can enter
an airline, and flight number. The app then uses the <a href="http://flightstats.com/" target="_blank">flightstats.com</a>
API to search for the flight's current status. The app provides a list
of airlines so that the user does not have to know the airline code. <br>
<br>This data is available through their API on a paid basis. For
simple widgets, they allow developers to use the API as long as they
provide deep links back to their site (for advertising revenue). I am
curious now how other application developers use the API key so that it
is secure. <br>
<br>Would C be a better choice? It sounds as though it may not, since you say that the API key can still be 'found out'.<br>