Don't Leak Your Strings!

Don't Leak Your Strings!

I'm not going to talk about SecureString in this post.
This article is about an often overlooked aspect of development where you can easily leak information you didn't want to share.  In fact, I encourage you to grab a closed source library you are curious about on your system and run Strings.exe or Strings64.exe (https://docs.microsoft.com/en-us/sysinternals/downloads/strings)
against it to dump all of strings contained in the assembly.  What does it tell you about the program?

Maybe you get nothing, but often times I see leaked keys and secrets that are hard-coded into the binary.  First, it isn't surprising that a lot of developers do this.  There isn't any documentation out there when using a 3rd party library that says "Hey don't leak this API key!".  Tutorials and samples for every library I've used just say "Enter api key here to unlock the component."

The good news is that this is a really easy practice to fix, and there are several methods you can use to hide your sensitive strings, but I want to call out https://www.stringencrypt.com by Bartosz Wójcik if you are looking for some help.  It is powerful, simple, and will really secure your strings.