Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obfuscate hardcoded strings with sensitive data #21807

Open
friofry opened this issue Dec 12, 2024 · 0 comments
Open

Obfuscate hardcoded strings with sensitive data #21807

friofry opened this issue Dec 12, 2024 · 0 comments
Labels
feature feature requests goal:status-go:P0:no-critical-leaks

Comments

@friofry
Copy link
Contributor

friofry commented Dec 12, 2024

Description

Currently, most hardcoded strings can be extracted from the release binary using a text editor or strings, objdump cmd utils.
We could use a simple encryption mechanism with a hardcoded key (or just XOR).
Or/And, as @igor-sirotin suggested, split the key into several pieces and combine them at runtime.

It would be nice to have a macro for this that can be reused for the tokens we inject into the CI at compile time.

Admittedly, this is a protection against an honest man, and the proper mechanism should be implemented later (asking proxy for an ephemeral key, or something inspired by Waku RLN).

Acceptance criteria

The binary doesn't contain any 3rd party secrets as plaintext

related ticket: status-im/status-desktop#16944
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature feature requests goal:status-go:P0:no-critical-leaks
Projects
Status Desktop/Mobile Board
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@friofry