API shared secret in Ajax Adobe AIR application

Question

API shared secret in Ajax Adobe AIR application

I am new to developing AIR applications, so maybe this is a dumb question, but I can't find answers to questions from Google. Any help you can give me is greatly appreciated.

I am creating an AIR application with Ajax using an api that is identical to flickr Api, with a shared secret key. The problem is that the entire source is included in the air supply, and I do not want to pass on my shared secret. Is there any way to do this? Can I hide some source or somehow include this shared secret in the application without giving it away?

Thanks for your help.

+4

javascript api ajax air flickr

user38131 Nov 17 '08 at 2:51

source share

4 answers

Pierre-yves gillier · Answer 1 · 2008-11-24T10:12:05+0000

You can use EncryptedLocalStore to safely store the API key.

But you will not be able to distribute it with the application, since the storage encryption depends on which OS the application is running on.

The method for planting the store will be, when installing the application:

Run installer
If necessary, run the scripts after installation.
Check out the store. If the key is missing, download the key from your site and save it in ELS.

Using this method, the user will never recognize your key, but he will be present in the application store.

dkretz · Answer 2 · 2008-11-17T03:33:14+0000

First question: does the license allow you to write an application and provide it to someone else to use with your key, and not have your own key?

If so, and if it is an AIR-enabled SDK, they should have some method that they recommend.

EDIT:

This question describes how flickr provides access to additional resources using a key. If this is an AIR application, do you jump through the sandbox hoops to provide simultaneous Internet connection and a desktop application?

user43636 · Answer 3 · 2008-12-23T12:53:18+0000

I would either save the key on the server, or retrieve it using SSL (https: //) and flash.net.URLLoader class or save it in an encrypted SQLite database . Obviously, the database creates a lot more overhead if you are not already using it, so I would go with the first option if you are not going to use the SQLite database now or in the future.

Vasil · Answer 4 · 2008-12-23T21:47:27+0000

You can use EncryptedLocalStore, as Pierre-Yves Gigli mentioned. There is a detection method if the application is launched the first time. But I would go for this method:

Check if there is an api key in Encryptedlocalstore, and if it does not capture it from the amd server, save it.

API shared secret in Ajax Adobe AIR application

More articles: