I am developing a Windows Desktop Application using C++ MFC, and I want to securely store API keys, during the installation process. Ideally I do not want third party applications to be able to access the information.
The desktop native application, will be using the API keys for OAUTH flows. The API keys are sensitive, and could potentially be used to impersonate the application, and should be protected.
I have considered encrypting the API keys, and store them encrypted on DISK using DPAPI, but the installer might carry the information in the clear, and perhaps the installer might not offer DPAPI. Also when using DPAPI, it's not 100% secure, as other third party installed applications can read the keys.
Do Windows application installers offer DPAPI or another mechanism for this purpose?
What is the recommended approach for securing API keys or sensitive information on Windows 10 and 11, during installation. (Perhaps not using API keys for Desktop applications is the safest option)
I am hoping for a simple solution similar to what Android, IOS or MacOS has, where only the signed application with its unique application identifier, can access its own securely stored data.
Do you want to capture/ask the user for the API key in the installer GUI?
If so, the only option is to store it inside a hidden property, assuming you plan to build an MSI-based installer. It's not bulletproof but it provides a little bit of security.
After that, you can write your own custom action to process the value of the property and pass it to your application or save it somehow.
A safer method would be to ask the user to provide you with a file that contains the API key, so your installer never has access to the direct value of the key. Then you can write a custom action that reads the value from the file directly, bypassing the use of any MSI properties which in some cases can be exposed.
Disclaimer: I work on the team building Advanced Installer.