I’m currently developing a desktop application based on a 3rd party web API, and have registered for their program and been given two access keys in return.
However, if pasting these keys as strings in the source, then anyone could pull back the contents of the repo and find them pretty trivially.
So far my best idea of how to prevent this is to compile them separately into a class file, obfuscate it, and then just use that so they’re at least not in plain text in the source. But is there a better, more accepted or at commonly used way that I’m missing? I’m not after complete and utter security, but at least want to make extracting the keys as difficult as I reasonably can given an open source environment.
You’ll probably want to plug-in the access keys as a separate file in the source code, which you would avoid pushing to the public repository (or push with the actual keys deleted so someone wanting to use your application would need to plug-in their own key). That way everything is open source except your private keys themselves.
TL;DR: The only way to really avoid publishing your keys is not to make them part of the public source repo. Anything else means they are pretty trivially extractable by others.