secure API credentials in source code. How ?

Discussion in 'iOS Programming' started by ChristianJapan, Apr 4, 2014.

  1. ChristianJapan macrumors 601

    ChristianJapan

    Joined:
    May 10, 2010
    Location:
    日本
    #1
    If your app would like to use services like Dropbox or Google Drive you need to register for an API key and use it in your application to enable the API at runtime.

    Do you have a simple but secure method to store such keys in the source code (and eventually in the binary) and avoid easy detection by 3rd party ?

    Simple string seems not the best idea.
    Code:
    NSString *apiKey = @"This is my secret key";   // ok in an ideal world; not so much in ours
     
  2. troop231, Apr 4, 2014
    Last edited: Apr 4, 2014

    troop231 macrumors 603

    Joined:
    Jan 20, 2010
    #2
    You can try building your key at runtime instead as a NSMutableString property using an NSArray as the character source:

    Code:
    @property (nonatomic, strong) NSMutableString *keyString;
    
    NSArray *theSecret = @[@"y",@"e",@"k",@"h",@"t"];
    
    self.keyString = [[NSMutableString alloc]init];
    [self.keyString appendString:[theSecret objectAtIndex:4]];
    [self.keyString appendString:[theSecret objectAtIndex:3]];
    [self.keyString appendString:[theSecret objectAtIndex:1]];
    [self.keyString appendString:[theSecret objectAtIndex:2]];
    [self.keyString appendString:[theSecret objectAtIndex:1]];
    [self.keyString appendString:[theSecret objectAtIndex:0]];
    
    NSLog(@"%@",self.keyString);
     
  3. ChristianJapan thread starter macrumors 601

    ChristianJapan

    Joined:
    May 10, 2010
    Location:
    日本
    #3
    Thanks; My simple brain was originally only considering bigger sub-strings; not single character-strings. Which makes your proposal better. :)
     
  4. ArtOfWarfare macrumors 604

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #4
    I think you're probably fine just sticking it right in your code. Someone looking through your compiled code wouldn't know one string from another, because the name of the string is thrown out at compile time. Plus you have to consider the kinds of things that could happen if your secret key was compromised... I don't feel like the consequences would really be severe enough to warrant going through effort to obfuscate it like troop231 suggested.

    Wouldn't it be trivial for a user, if they so desired, to sniff the packets on their network and extract your API key? Even if it's encrypted, they could still record the encrypted key and play it back later (again, not sure what the issue would really be if a malicious person were able to do that).
     
  5. firewood macrumors 604

    Joined:
    Jul 29, 2003
    Location:
    Silicon Valley
    #5
    Using https (at least after a recent iOS update) prevents packet sniffing of token credentials.

    Basically, you need to deal with 2 types of token theft. For unsophisticated types, any type of obfuscation will work, even rot13, as these types usually only do a string search looking for stuff. And you should at least obfuscate your token to prevent your kid sister from running across it. Against sophisticated types, no source code storage is secure, as they can modify and single step your code to find the token just as it's created and/or sent.
     
  6. troop231 macrumors 603

    Joined:
    Jan 20, 2010
    #6
    IMO, if you're not doing some kind of banking app or the likes, then sticking API keys hard coded isn't a huge deal. The only real problem is that copy cat apps could come out and use your API and leach your resources.
     

Share This Page