david_navigator 12 Posted October 16, 2023 Surprisingly I can't find an answer to my question here or via google (I'm probably asking the wrong question), but what's the best way to obfuscate API secrets in Delphi ? e.g. My app needs to send email using Office 365, which requires an oAuth2 login. To start the login process I have a client_ID & a client_secret given to me by Microsoft to identify my app. Obviously these need to be stored within the exe but how to hide them such that some (casual) hacker, can't pull them out and pretend to be me ? Cheers David Share this post Link to post
Angus Robertson 574 Posted October 16, 2023 Simple XOR encryption with a numeric key will make it much harder to search the EXE for client ID and passwords, AES if you don't care about the size overhead. Angus Share this post Link to post
Tom F 85 Posted October 16, 2023 We use TurboPower's encryption tools (available for free under Tools > Package Manager for these kinds of mild protection from prying eyes. GetKey in the code below just returns the key we use. I'm sure purists will find all sorts of problems with the code below (including the FreeAndNil). But, hey, you do you and we'll do us. This isn't a banking app, it's obfuscation. Share this post Link to post
Remy Lebeau 1405 Posted October 16, 2023 1 hour ago, david_navigator said: Obviously these need to be stored within the exe That is not a good idea. Store them outside of the exe (config file, database, etc), and secure them with encryption, etc in case they need to be changed over time. 1 hour ago, david_navigator said: but how to hide them such that some (casual) hacker, can't pull them out and pretend to be me ? If a hacker has access to your exe, all bets are off. Nothing stops a competent hacker from discovering the memory blocks your app is using and just pull the login values directly from that memory as soon as your app uses it. 3 Share this post Link to post
Die Holländer 45 Posted October 17, 2023 Maybe you can consider to use the CredentialManager of Windows. Stored info is encrypted based on your Windows User login of the machine. It's only readable (by every application) when the user is logged in. It's very easy to read and write to it from Delphi with 2 or 3 functions/procedures. Share this post Link to post