Python & Twitter

I'm working on developing a Python Twitter application, but I've hit a snag. The Twitter API requires an a secret key for your application, but I don't know how (or if) I can keep this key secret.

Ideas?

It's secret as long as noone hacks your server. Can't really do anything about this - people with much more sensitive info, such as payment gateways are subject to the same risks. A paranoid solution would be to make a specialized server which performs all requests and doesn't run any services/open ports, and have the communication between said server and your main server be performed under SSL and authed with a unique pub/priv key pair.

Well right now the key is stored in the application (client). The application authenticates with the Twitter servers, so I'm not really using my own server in between. I imagine most Twitter apps store the secret key on the local computer somehow. I was just wondering if there was a semi-secure way to do this in Python.

>>3
If you're giving the application to your users, then no, there is no real way. The users must run the application, and the app must send the key, so the key can be captured when it's sent, or your app can be disassembled... It's simply impossible, if you're giving the app to users.

If it's a server-side app, you don't have to worry much, except for the server's own security and if you had good secur coding habbits.

I had planned it to be a user application rather than server-side, but I might change my method a bit.

Does that mean that most Twitter desktop applications use their own servers for authentication or just not care if someone gets their consumer key?

>>5
Give me an example, and I'll see if I can find their key? I don't really use twitter, so I don't know any "apps". I'd image some have servers do the requests for them, while others may put the key in clients and hope nobody will steal it.

There are very popular Twitter clients such as Tweetdeck or Blu. Those examples are closed-source but I'd imagine if the interacted directly for the Twitter servers, it wouldn't be hard to capture the secret key. There's open source apps I haven't used though, like Buzzbird.

PHP people store passwords in plain text files, I don't see what's wrong with that.

I imagine it's because if you had the application key and the user key that the application stores, you could post to their account, delete stuff, etc.

The Twitter API requires an a secret key for your application
That's pretty retarded. Use a social network that doesn't suck, such as GNU social.

>>7
I looked over a couple of clients. A lot are server-side, some are client-side, but have their own API which is done server-side, and some store the key locally.

Tweetdeck stores the Consumer Key/Consumer Secret locally. I could post it here, but I'll refrain. Anyone who knows how to use basic Flash reverse engineering tools, or a packet sniffer should be able to find it.

Also, it has facebook, LinkedIn, and many other API keys in there

        private static const API_SECRET:String = "EI5LxT_......";
        private static var token:OAuthToken;
        private static const API_KEY:String = "mpFtC....nQG";
(... means elided)

So, OAuth isn't really that secure?

>>13
It's secure as long as the right protocol is used and the protocol is implemented correctly and the client is server-side. In this case if you get someone else's key, if you just have the api key/secret, that means people could make their own API clients and mask as other API clients whose keys you have. I don't really see this as a security breach myself. It just means people that haven't registered with whatever service can use their API, which is something twitter(and other social networking services) might not want, but it's not a security breach for the user.

Well if you had the user's key and happened to have their client key as well, you could go and delete posts, friends, etc. which when you think about it, isn't really that big of a deal.

So the best option would probably be to create a server API and have the Python client interact with the server (which has the API secret key)?

>>16
If you wish to go that way, but looking at other clients, it seems people aren't all that shy about keeping the actual API keys secret, since some clients do have them in plaintext or encoded using some silly encryption (which is unimportant, since it's locally run code).

>>17

Yeah, that makes sense. It just seems...weird saving the cient secret and the user secret in plaintext, but it's not like I'm planning on making the most popular Twitter app or anything. Thanks for the help.

Don't change these.

Name:		Email:
Entire Thread Thread List