Specifically worried that someone might be able to extract the API key in a way I am unaware of and make calls to my own Cognitive Services subscription outside of the context of my program.
1 Answer
Yes, anyone can easily find the key.
The simplest method would be to use the .net development tools (available for free download from Microsoft) which contains a decompiler. Aim the decompiler at the program and look for any strings, not to many will look like keys...
If that fails because you were a smart cookie and encrypted the key. They could still look for actual calls using a proxy dll, or http requests. Somewhere you have to hand the key over in plain text... They can then trace it back to the encrypted key, and the decryption key and algorithm.
Making it safe
Do not pass out your subscription...
Option 1: Require the user to have their own subscription and ask for their key instead.
Option 2: Implement a middleman server on your own/cloud host. Rewrite your application to make requests against this API, use whatever account/service control you would like. Once you have verified (in the middleman) that the user is legitimate, the middleman makes the request of Azure itself, and returns the results to your client.
