Obfuscating a key

What are some ways to obfuscate a key contained in a constant or variable in a Xojo app, just to make it a LITTLE more difficult to obtain that key from prying eyes?

  1. split it into pieces sprinkled around different parts of the app
  2. dont store it as a single constant but compute it or parts of it via some weird code

there were other recommendations in a presentation kem made some time ago called “security by obesity” (yes really by obesity not obscurity)

Stupid question: if you’ve sprinkled your serial number in bits across constants and unchanging variables with literal values, would an intelligent optimizing compiler not put it back together …? :thinking:

I was wondering if I could use a build script to “compute” an obfuscated code that gets stored as a single constant (I do this already (un-obfuscated) for other build data I want to be part of the app), and then the app performs some function on the obfuscated key when it needs to use it?

Like, in the build, it takes a code, and bit-shifts it or something and then stores that as a constant in the app. The app re-shifts the value to get back the real key when it needs to be read.
(Using something more interesting than bit-shifting as the “formula”, but a function that’s available in a build script)

Be careful that you don’t end up with the need to hide the de-obfuscate key as well.

Was thinking of a formula, not another key, just so someone can’t see the key with a hex editor…

this is Kem’s Obfuscate IDE script
select a “key” string in the IDE, and choose the script.

also this one from Bob, no more maintained

this is where if you use calculated parts a compiler wont evaluate those to see the result is constant and so wont optimize out the breaking up of the key value

I use a modified version of Kem’s script (that @JeanYves linked). It is also used to help Plugins Pro obfuscate and register MBS for you.

Nice. That’s very helpful, thank you.
I might change it to just ask for the un-encoded key during the build instead of changing the string in the actual code, but this should be a good method.

If you are looking for a easy way to ask for a passcode, and validate it with a specific code you had determined when you compiled the app, why not just store the code as something like an MD5 (or other encryption type). Have the user enter the clear text, encrypt their input the same way, and compare the two. This way the clear text of the passcode never exists in the compiled code. Is this 100% secure? of course not, nothing is… But a hacker would have to :

  1. know there was an encrypted value in the code
  2. figure out where/what it was
  3. figure out a clear text phrase that would result in that value

Is the market potential of your app so great that someone would bother going to that effort?

Actually just looking for a way to marginally protect a private RSA key.

When accessing a web API that requires a ‘password’ to be sent as part of the authorization, you need some way to store that internally that is not obvious.