Login at Kodi Home

Laundro · 2015-01-14, 10:32

I'm dabbling with writing a plugin that uses parts of the Twitter API. This means that I have to store my Twitter app credentials (consumer key, secret, ...) in the plugin's code.

Now, as Kodi plugins are distributed as sourcecode, this means that my Twitter app credentials are there for anyone to see (and use).

Two questions:

Is this in fact a problem?
If so, is there any way I can hide or obfuscate my keys?

RockerC · 2015-01-14, 11:27

Doesn't Kodi have an integrated password manager that addons can utilize for encrypting and storing/retrieving passwords or keys?

http://forum.kodi.tv/showthread.php?tid=171663
http://forum.kodi.tv/showthread.php?tid=47693

White-box cryptography or code obfuscation could otherwise be used to hide stuff in open source addons, but code obfuscation is not ideal

http://crypto.stackexchange.com/question...bfuscation

Code obfuscation is at least certainly frowned upon in the open source software community so it would not be advice for use in Kodi.

If there is no password manager available in Kodi that addons can use then white-box crypto of AES is probably the way to go.

Examples of Python implementations http://crypto.stackexchange.com/question...ython?lq=1

Though best would probably be if Kodi had an internal password manager utility / API that addons could call for storing passwords and keys.

Example of C++ implementation https://github.com/ph4r05/Whitebox-crypto-AES

**spoyser** · 2015-01-14, 12:24

Could you not have the values you need as settings for that addon which are then set via the addons settings page.

This way they wouldn't be in the source code, and perhaps more importantly someone else could use your addon and enter their own Twitter credentials.

Laundro · (This post was last modified: 2015-01-14, 17:19 by Laundro.)

The problem is that I'm using my Twitter app's secret keys to communicate with the Twitter API. I am not using a user's password, so I don't need to ask for it nor store it. It's my own app's secret keys (see https://apps.twitter.com/) that I need to store.

nickr · 2015-01-15, 02:25

Include them as a setting not in the code. Require your users to get their own keys and enter them in settings.

Laundro · 2015-01-15, 10:03

I must not have made myself clear enough: I'm not looking to store user credentials, I'm looking to securely store my Twitter app's keys needed for authenticating with the Twitter API. These keys will have to be distributed together with the plugin, otherwise it won't be able to access the Twitter API feautures I want to use.

For more information on Twitter app authentication, see also the Twitter API docs on the matter.

Hedda · (This post was last modified: 2015-01-16, 12:01 by Hedda.)

(2015-01-15, 10:03)Laundro Wrote: I must not have made myself clear enough: I'm not looking to store user credentials, I'm looking to securely store my Twitter app's keys needed for authenticating with the Twitter API. These keys will have to be distributed together with the plugin, otherwise it won't be able to access the Twitter API feautures I want to use.

For more information on Twitter app authentication, see also the Twitter API docs on the matter.

Then maybe use something like the absove mentioned white-box crypto using AES encryption with Python

https://docs.python.org/2/library/crypto.html

https://www.dlitz.net/software/pycrypto/
http://bityard.blogspot.de/2010/01/symme...-part.html
http://bityard.blogspot.de/2010/10/symme...-part.html
http://bityard.blogspot.de/2012/08/symme...art-3.html

http://brandon.sternefamily.net/2007/06/...mentation/

https://github.com/trevp/tlslite/blob/ma...hon_aes.py

https://github.com/caller9/pythonaes

Laundro · 2015-01-18, 11:02

(This is weird, I thought I had posted a reply a few days ago. Anyway)

I'm beginning to think what I'm asking is by definition impossible. Were I to use AES encryption, I would still need to store the key to unlock thàt encryption in the plugin code.

**takoi** · 2015-01-18, 13:34

(2015-01-18, 11:02)Laundro Wrote: (This is weird, I thought I had posted a reply a few days ago. Anyway)

I'm beginning to think what I'm asking is by definition impossible. Were I to use AES encryption, I would still need to store the key to unlock thàt encryption in the plugin code.

Yes, it is by definition impossible to store any secret key on users computer. Best you can do in obfuscate it. But if I'm reading this right it's only an API key. Why would anyone bother to "steal" it?

Laundro · 2015-01-18, 21:14

I'm still debating whether it is a problem or not Smile

I guess I'll just make a new Twitter account, create the app, get the secret key, use it in the plugin and just wait and see whether anyone'd bother using it.

Thanks for all the input/feedback/help everyone!

**pkscout** · 2015-01-19, 00:08

I have API keys for a number of third party sites in Artist Slideshow. I just store the API keys plain text in a configuration routine and don't worry about it. In the three years I've been maintaining AS I haven't had any reports from any of the sites that the key was being abused.

Laundro · 2015-01-19, 11:28

Good to know pkscout, thanks for reassuring me.