by Nick
10. February 2011 20:27
I’ve posted about this before but now I feel the urge to say it again following the Real Apps, Real Codepost by Mark Hopkins (by the way I actually think this post and the use of samples is fantastic, I just like this example).
If you look at the Translator Starter Kit section there is a link to the Translator Starter Kit topic. Here the guidance suggests that you should get an AppID and add it into your application.
Surely they can’t be serious – DO NOT PUT APPLICATION KEYS INTO THE APPLICATION ITSELF. Application Keys/Ids are a web construct and work well when they’re in a configuration file on a server. If someone gets access to them then you’ve got bigger concerns than whether they’re going to be using your app key for some malicious purpose.
With an app key/id placed within your Windows Phone 7 application it’s about a 2 minute job for anyone with Fiddler and Reflector (after coughing up $35 to Redgate – talk about bad form!!!) to extract your Application key/id.
Unfortunately there is no holy grail for how you should deal with app key/ids. Some solutions rely on them being placed on a server and then retrieved when the application is run; some solutions distribute parts of the app key/id throughout the application, making it hard for someone to extract it. Essentially it comes down to security by obscurity which is not a great position to be in. When will the industry learn that app keys/ids are not the answer.
4ee63299-6313-498d-8609-88689c867b43|0|.0
Tags: