iOS secure API credentials in source code. How ?

ChristianVirtual

macrumors 601
Original poster
May 10, 2010
4,091
265
**
If your app would like to use services like Dropbox or Google Drive you need to register for an API key and use it in your application to enable the API at runtime.

Do you have a simple but secure method to store such keys in the source code (and eventually in the binary) and avoid easy detection by 3rd party ?

Simple string seems not the best idea.
Code:
NSString *apiKey = @"This is my secret key";   // ok in an ideal world; not so much in ours
 

troop231

macrumors 603
Jan 20, 2010
5,404
150
You can try building your key at runtime instead as a NSMutableString property using an NSArray as the character source:

Code:
@property (nonatomic, strong) NSMutableString *keyString;

NSArray *theSecret = @[@"y",@"e",@"k",@"h",@"t"];

self.keyString = [[NSMutableString alloc]init];
[self.keyString appendString:[theSecret objectAtIndex:4]];
[self.keyString appendString:[theSecret objectAtIndex:3]];
[self.keyString appendString:[theSecret objectAtIndex:1]];
[self.keyString appendString:[theSecret objectAtIndex:2]];
[self.keyString appendString:[theSecret objectAtIndex:1]];
[self.keyString appendString:[theSecret objectAtIndex:0]];

NSLog(@"%@",self.keyString);
 
Last edited:

ChristianVirtual

macrumors 601
Original poster
May 10, 2010
4,091
265
**
Thanks; My simple brain was originally only considering bigger sub-strings; not single character-strings. Which makes your proposal better. :)
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
8,565
3,978
I think you're probably fine just sticking it right in your code. Someone looking through your compiled code wouldn't know one string from another, because the name of the string is thrown out at compile time. Plus you have to consider the kinds of things that could happen if your secret key was compromised... I don't feel like the consequences would really be severe enough to warrant going through effort to obfuscate it like troop231 suggested.

Wouldn't it be trivial for a user, if they so desired, to sniff the packets on their network and extract your API key? Even if it's encrypted, they could still record the encrypted key and play it back later (again, not sure what the issue would really be if a malicious person were able to do that).
 

firewood

macrumors 604
Jul 29, 2003
7,645
872
Silicon Valley
Using https (at least after a recent iOS update) prevents packet sniffing of token credentials.

Basically, you need to deal with 2 types of token theft. For unsophisticated types, any type of obfuscation will work, even rot13, as these types usually only do a string search looking for stuff. And you should at least obfuscate your token to prevent your kid sister from running across it. Against sophisticated types, no source code storage is secure, as they can modify and single step your code to find the token just as it's created and/or sent.
 

troop231

macrumors 603
Jan 20, 2010
5,404
150
IMO, if you're not doing some kind of banking app or the likes, then sticking API keys hard coded isn't a huge deal. The only real problem is that copy cat apps could come out and use your API and leach your resources.