Can an API key be securely stored in a Windows Store app?

Question

I want to write a Windows Store app which uses a 3rd party API. This API costs me money, so I'll charge people using in-app purchases.

The 3rd party will provide me with an API key. Is there a way to securely store this API key in a Windows Store app? If someone discovered the API key, they could use the API for free and I'd get billed.

I can use C++ or C#.

Answer 1

If you place your API in your application it can be found by anyone that has the time to reverse engineer your product.

If it's extremely important for the key not to be used by others I would suggest making an online service and simply using your Windows Store app to communicate with the server to get the results. In other words, only your online service will know the API key that way.

If that isn't possible then you just need to face the fact that your key will be found at some point if your application is known enough and is worth "cracking". To make it a bit harder I would suggest avoiding C# since it is extremely easy to reverse engineer .NET applications, even if they have been obfuscated. Which means if the first method isn't an option for you, go for C++ and make sure your key is encrypted.

Answer 2

Nothing is 100% safe.

How do you plan on storing the API key? If you just put it in a string, it will be easy to discover. If you encrypt the key and decrypt it in memory before use, it will be considerably harder to find. Make sure to encrypt it.