Questions about application distribution

Hello, as I mentioned in a previous post, I decided to learn programming with Xojo, and I have a few questions. While researching classes and looking at example projects, I found something curious. In the example project that explains how to connect to ChatGPT, it suggests placing the API key in a constant. My question is: is this safe? From what I understand, it’s not a good practice to include credentials directly within an application. Instead, it’s better to create an intermediate server to handle requests to the API. This is because my distance-measuring application will use the Maps API (the ADB execution issue I mentioned in the previous post was resolved in a somewhat unusual way). Since I am learning, I refuse to pay $300, so I connect my PC to my phone through a VPN. This way, even when I’m using 4G outside my home, my phone’s IP is always within Xojo’s reach. My last question is: When compiling applications for both PC and mobile, can they be deployed as they are, or is it necessary to apply any technique to protect them from decompilation? (Please note that I’m a beginner).

There is no way to completely secure a string against someone determined enough to read it. They don’t even need to be able to decompile it, they can run it through a debugger, or inspect the memory space, or a number of other things to get a string.

You can encrypt it so that it can’t be easily read off disk or by hex editing your binary (which would be possible by putting it into a constant), but even then it’s subject to retrieval through your system memory by someone determined and skillful enough.

Having an intermediate server is a good idea for more reasons than this though. If your application suddenly goes viral and is now hitting your OpenAI API with a 100k requests a second, that gets really expensive really quickly and you need a way to throttle the requests, stop them after a certain amount, or maybe even paywall them if there’s that much demand. You control a server whereas you no longer control your application once people have downloaded it.

Keep in mind, the communication between your program and your server will also need some sort of password or secret key, and you run into the same problems as using the api key directly in your app.

Other than that, protecting from decompilation is a fool’s errand. A better decompiler will always come out, and your older versions will always be vulnerable to it. These are just the risks we take as developers.

It is better to obfuscate API keys and passwords in your app.
But it won’t 100% prevent someone decompiling your app and finding it.

anyway, the following script can be used in Xojo.
Place the file in Documents/Xojo/IDE/Scripts

Obfuscate.xojo_script.zip (1.7 KB)

to use it, highlight a string value in the IDE code editor, then from the menu: File > IDE Scripts > Obfuscate.xojo_script

It will produce code like this:

dim decodedString as String

// Encoding for value 
if True then
  dim codeArr() as Integer = Array( 94443, 95333, 97911, 69214, 93532, 94889, 70859, 74311, 92960, 80011, 68388, 68614, 81889, 82312, 95455, 84802, 95183, 64499, 73549, 84047 )
  dim adderArr() as Integer = Array( 94339, 95233, 97814, 69109, 93431, 94790, 70743, 74195, 92860, 79979, 68301, 68551, 81857, 82192, 95343, 84681, 95072, 64467, 73432, 83946 )
  dim indexArr() as Integer = Array( 1, 5, 2, 6, 13, 17, 3, 18, 7, 12, 0, 19, 8, 14, 15, 9, 10, 4, 11, 16 )
  indexArr.SortWith codeArr, adderArr
  
  dim decodedChars() as String
  for i as Integer = 0 to codeArr.Ubound
    decodedChars.Append Chr( codeArr( i ) - adderArr( i ) )
  next i
  
  decodedString = String.FromArray( decodedChars, "" )
end if // True
// End Encoding for value

//Do something with decodeString
decodedString...

__
EDIT: I can’t remember who shared that script on the forum first, I am not author and not taking credit for it.

4 Likes

On other platforms and environments, there are options to prevent code debugging, but Xojo doesn’t include this feature. It won’t prevent it 100%, but at least it will make it more difficult. I understand that nothing is absolutely safe in this world, but adding a ‘shield’ never hurts. For example, Xojo’s license system is almost unbreakable—I believe it uses RSA to encrypt the license file.

I built it, and it’s much more complicated than that.

That’s why, xojo, I wouldn’t suggest putting something as sensitive as a key in a constant if there wasn’t a good way to protect an application. I don’t pretend to understand all the ins and outs yet, but I think there must be a way.

Licensing and code protection are two completely different things.

But the concept is the same. Software protection. for example, the medicine has many fields that are intertwined. Thoracic surgery is not the same as dental surgery, but they are both surgeries. So one method of protection can inspire another.

Not like this. Licensing relies on encryption. Xojo’s servers and IDE have agreed upon a means to encrypt the license file and verify its identity. But code cannot be encrypted because the machine needs to be able to decrypt it. We have code signing, which is close. It allows the operating system to verify that an object has not been tampered with, through a similar chain of trust. But if you wanted encrypted code, that has to be a feature provided by the operating system. Which would then be pointless, as the means the OS uses to decrypt the code could be used too… decrypt the code.

It just can’t be done. Code can be obfuscated but not encrypted.

1 Like

Obfuscators are worthless. I know people who program in Java and C# who say that obfuscating code is like covering it with cross-outs (somewhat vague symbology), but they say that if you are clever you can extract the logic from the code. They advise me that it is better to use compiled languages, that is why I learn xojo.

However, being compiled is also useless if with a simple click you can read the binary code.

Well… too bad? Compiled code isn’t about protecting it anyway. Yet tons of businesses make money on software despite this. Hell, I make my living from an open source app. So the best advice I can give you is to not stress about it, because it doesn’t matter which language you use, there’s always a way. Yet the world spins on.

As I mentioned in another post, I don’t consider open source to be healthy. It’s like building your house and not closing the door so everyone can see what’s there.

I can tell

2 Likes