How To Protect Sensitive Keys in Adobe Air Apps?

What are the best practices for delivering an Adobe Air app that needs a开发者_JAVA技巧 private key in order to communicate with some online API?

Adobe Air apps seem like they are delivered to the user with full source code, so storing any keys within the source would be a really bad idea. I've read some suggestions saying to download the key from your server, but that has the same problem because the url allowing the download would have to be stored in source code. Also, suggestions saying to store in the encrypted local storage don't make sense to me either, because I still have to obtain the private key somehow.

---

I think this is a global problem of delivering secret keys in any application, since everything can be reverse-engineered (disasamble for executables, IL readers, etc.)

No matter what you do, if the client application needs to somehow "know" a secret key, then the user can know the secret key.

Assuming that:

1. You deliver a product ("client application") which relys on some 3rd party web service ("the service").
2. Your company has just one secret key ("company key") for using the service.
3. The company key must never be exposed (due to possible abuse)
4. Every piece of information held by or transmitted by the client application is exposed

A solution might be to use some proxy:

1. The proxy implements the API of the service
2. The client application connects to the proxy
3. The proxy connects to the service using the company key
4. The proxy delegates all calls from the client to the service and vice-versa