My application hits a number of web services, such as Twitter and Flickr. It uses API keys from those services, and I'd like to obfuscate them in my binaries. (I'm not really worried about piracy or anything, I just need to keep these keys secret.)
What's the best way to go about it?
If I store them as const SecureString, does that keep them out of memory? The MSDN description says the text is "deleted from computer memory when no longer needed", but isn't a const always in memory?
Will Dotfuscator obscure it in my assembly? (Assuming I can get it to work.)
Anon is correct, there is no way to completely protect data; someone can always get it at.
But you want to make it as difficult as possible. This means not doing the things that make it easy to read:
TwitterAPIKey REG_SZ
)twitterkey.txt
), or in an ini fileThis will leave people who have to have knowledge of a debugger, and (possibly) assembly code.
You've reduced the attack surface a lot.
Follow just the first three suggestions and you'll well on your way.