Jump to content
david_navigator

Obfuscating secrets

Recommended Posts

Surprisingly I can't find an answer to my question here or via google (I'm probably asking the wrong question), but what's the best way to obfuscate API secrets in Delphi ?

 

e.g. My app needs to send email using Office 365, which requires an oAuth2 login. To start the login process I have a client_ID & a client_secret given to me by Microsoft to identify my app. 
Obviously these need to be stored within the exe but how to hide them such that some (casual) hacker, can't pull them out and pretend to be me ?

 

Cheers

 

David

Share this post


Link to post

Simple XOR encryption with a numeric key will make it much harder to search the EXE for client ID and passwords, AES if you don't care about the size overhead. 

 

Angus

Share this post


Link to post

We use TurboPower's encryption tools (available for free under Tools >  Package Manager for these kinds of mild protection from prying eyes.  GetKey in the code below just returns the key we use. I'm sure purists will find all sorts of problems with the code below (including the FreeAndNil).  But, hey, you do you and we'll do us.  This isn't a banking app, it's obfuscation.

 

image.thumb.png.80648ac6b38f3e550ccdd22d69cd2643.png


image.thumb.png.9f52151bd23b6e12954af5655a565e5a.png 

Share this post


Link to post
1 hour ago, david_navigator said:

Obviously these need to be stored within the exe

That is not a good idea.  Store them outside of the exe (config file, database, etc), and secure them with encryption, etc in case they need to be changed over time.

1 hour ago, david_navigator said:

but how to hide them such that some (casual) hacker, can't pull them out and pretend to be me ?

If a hacker has access to your exe, all bets are off.  Nothing stops a competent hacker from discovering the memory blocks your app is using and just pull the login values directly from that memory as soon as your app uses it.

  • Like 3

Share this post


Link to post

Maybe you can consider to use the CredentialManager of Windows.

Stored info is encrypted based on your Windows User login of the machine.

It's only readable (by every application) when the user is logged in.

It's very easy to read and write to it from Delphi with 2 or 3 functions/procedures.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×