I am using some web API that operates by providing an API key (40 character string).
Upon registration to this service, i (the developer) gets this key which is unique per user.
Every call to the API looks something like a POST call to:
http://www.someservice.com/api/method
Where the actual data passed in the request contains:
apiKey=myKeyHere....
My question is — how can i prevent users of my app revealing this API key?
This specific service provides highscore storage for games. Making my API key easily accessible means that players of my game will be able to issue their own requests for registering highscores.
I would like to either HARD CODE it into the code (less ideal solution)
or
keep it in some binary/configuration file that cannot be used to determine the actual string.
The scenario i would like to prevent is users getting this key, and submitting messages using it to the server instead of my app.
As long as you use such a simple protocol where a static unchanging key is sent to the server, your key obfuscation doesn’t matter. The attacker can simply sniff the traffic, and extract the key.
You’d need a heavily obfuscated piece of code, that produces a one time(or short term valid) key. That might deter weak attackers, since they need to either reverse-engineer or duplicate your key producing code. But against a competent attacker this will fail too.
You should not see client side API keys as a security measure. They behave more like the user agent header in http. The only API keys that can be secure, are those stored on a server controlled by the App developer, such as in a third party web application consuming your API.