I am using an API key in some Python code which I am looking to distribute. This API key is for Google Maps. Are there any security issues with regards to distributing this API key and if so, how is it best to hide this?
It isn't necessary, the Google API key is tied to your domain so the referrer is checked when it is used.
You can read more about how it works here
Relevant part
Note that a key for http://www.mygooglemapssite.com/ will only be accepted when the site is accessed using this address. It will not be accepted if the site is accessed by IP address (eg. http://10.1.2.3/) or by a hostname that is aliased to www.mygooglemapssite.com using a DNS CNAME record.
Their version 3 API doesn't require a key now.
http://code.google.com/apis/maps/documentation/javascript/
You cannot hide this. Your program needs to access it and a hacker will simply use a tool like a debugger, a virtual machine or a modified Python implementation if he/she really wants to know the API key.
I don't think it's necessary to hide a Google Maps API key anyway, as a web page will also have this in its source code when the API is in use. You should refer to the documentation or the page where you obtained the key to see if it's a private key.
if you're providing a tool for "power users" to use google maps, then it's reasonable to expect them to supply their own Google API key. If that's not an option for your users, you will need to have a web-service that your application accesses to act as a deputy so that your private key is not exposed. You will still have to devise a means of authenticating users, if that is applicable.
You could obfuscate the key in various ways, but it's not worth the effort. Obfuscation is a weak way to protect information, and in this case your information's security isn't especially critical anyway.
The point of the API key is largely so that the API vendor (Google, here) can monitor, throttle, and revoke your application's use of their service. It is meant to be private, and you shouldn't share it carelessly or intentionally, but it isn't the end of the world if somebody else gets their hands on it.
The Google Maps API key is only for version 2, which has been officially deprecated since May 2010. Strongly suggest you use Version 3 of the API instead, which is much better, and has no need for an API key.
Related
I'm fairly new to utilizing APIs, so please bear with me if this is a dumb question. I am writing a code using one of the APIs for www.imdb.com. I had to sign up to have access. If I push my code to github and the host and key are openly given as header parameters in my code, does this expose me in any way? Like will it leave me vulnerable for malicious attacks?
If you store an API key on a public repository, you are publishing in the open so that anyone can see it. Here are Best practices for securely using API keys:
https://www.freecodecamp.org/news/how-to-securely-store-api-keys-4ff3ea19ebda/
https://support.google.com/googleapi/answer/6310037?hl=en
Store them in environment variables or in files outside of your application's source tree.
Does facebook allow to use one person's access token to fetch post info of another person (post comments, likes)?
I am thinking of implementing a pool of tokens in my app, so if token is broken I can use other persons token. Wondering if it's allowed and whether facebook have some restrictions on such a use case.
Additionally, I am currently using FQL, is there a difference for Graph API in how tokens work?
Short answer: It is not possible. That would be an incredibly large privacy problem anyway.
Also, for user postings you need the "read_stream" permission and you probably will not get this one approved:
This permission is reserved for apps that replicate the Facebook
client on platforms that don’t have a native client.
(https://developers.facebook.com/docs/facebook-login/permissions/v2.0)
About FQL: There is no difference, although keep in mind that FQL is deprecated and will be removed when support for v2.0 runs out. See this link for more information: https://developers.facebook.com/docs/apps/versions#versioning
(thanx to Tobi for clarification)
I have more of a general question about how I would go about achieving something. I would like to run a daemon process that updates my own Google Calendar (as a background process). I have consulted the sites regarding Google API procedure (authentication, access tokens, etc.) and it seems that the authentication code I've seen requires manual authentication on my part (i.e. me pressing the 'yes, i'm okay with this application accessing my calendar' button). Given that I am writing a program to access my own google calendar (so security shouldn't be an issue), is there any way I can authenticate from within my own source code (perhaps a way of including my login info within the Python script I am writing for this program)?
I hope that makes sense. Thanks for the help!
You should have a look to Service Account with OAuth2.0. (See here : https://developers.google.com/accounts/docs/OAuth2#serviceaccount) It will provide a service account for your application, from which you will be able to handle calendars for your app.
I know it's possible to do it using java and here you will find a sample showing how to do it with Java. (https://code.google.com/p/google-api-java-client/wiki/OAuth2#Service_Accounts)
And I am almost sure it's also possible with Python. (see https://developers.google.com/accounts/docs/OAuth2ServiceAccount)
I am writing a desktop application in Python. This application requires the user to input their GMail email and password (however an account must be created specifically for this app, so it's not their personal (read: important) GMail account). I was wondering what would be the best way to store those login credentials. I don't need it to be super secure, but would like something more than storing it as plain text.
Thank you in advance.
Any chance you could not store the information on disk at all? I think that's always the most secure approach, if you can manage it. Can you check the credentials and then discard that information?
You can always encrypt the information if that doesn't work, but the decryption mechanism and key would probably have to reside in your program, then. Still, it might meet your criterion of not super-secure but better than plain text.
Use the OS keyring for this, which is the job of the python-keyring module.
Use the platform's native configuration storage mechanism (registry, GConf, plist).
If you are using Qt for your app, you should really use QSettings and let the framework handle the storage for you. Note: QSettings will NOT encrypt anything for you, but will store values in the most appropriate location depending on the platform it's running on.
Regarding security, you really should use OAuth, like in the example here, and just store the resulting token.
I want to let users use their google account to login to my website. Exactly the way SO lets me. Can anyone please point in the right direction? I'm assuming the oAuth library is to be used but what I'd really like is a snippet of code I can directly copy paste and get this to work.
It's not OAuth particularly that you need (OAuth is for authorising access for one website to specific private content held on another), but OpenID - which is meant for authentication rather than authorisation. (Some sites, like Twitter, do provide authentication services via OAuth, but that's not what it's primarily for.) I have used python-openid which is fairly straightforward to use, or you can look at django-openid - though it admits to being incomplete, you could get some idea of how to implement OpenID support.
The problem's a little too involved to admit a copy-and-paste solution, but it's not especially hard to do this.
Update: piquadrat's link (in he comment) is definitely worth following.
You may want to check out django-piston which is a mini-framework with oAuth built in. Here's a tutorial on how to set it up.
You might consider using Django-Socialauth, as it supports
Twitter
Gmail
Facebook
Yahoo (essentially openid)
OpenId