My app communicates with a web service using some keys that were supplied by the web service provider. Each WS call incurs a charge to myself, so I need to keep these keys secure within the application.

I know that some obfuscators may help with this, but as far as I know, none that have this functionality are free.

I have also thought about having my own web service that can retrieve the keys (I can then move my authentication code out to the web service and return the keys after a valid login). I believe that this is liable to snooping though.

I don't think I can symmetrically encrypt the keys as this will require an encryption key and this will then be hard-coded in the source code and available to Reflector.

So, I cannot think of a way to achieve my goal. What is the standard approach in these situations?

Can anyone help?

If at any point you need to put the value of the key into a String object there is no way to truly protect that value. SecureString was introduced in .NET 2.0 to get around that problem. If you look at that class you'll notice there's no way to directly get a String out of SecureString. Unfortunately all .NET methods that accept data that could be considered sensitive (like password) don't all have an override accepting a SecureString.

The data in SecureString can be passed around as a byte array which is easily pinnable and marshaledand it's content can be cleared easier.

If at any point you need to put the value of the key into a String object there is no way to truly protect that value. SecureString was introduced in .NET 2.0 to get around that problem. If you look at that class you'll notice there's no way to directly get a String out of SecureString. Unfortunately all .NET methods that accept data that could be considered sensitive (like password) don't all have an override accepting a SecureString.

The data in SecureString can be passed around as a byte array which is easily pinnable and marshaledand it's content can be cleared easier.