Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS secure API credentials in source code. How ?

ChristianVirtual

ChristianVirtual

macrumors 601
Original poster
May 10, 2010
4,122
282
日本
If your app would like to use services like Dropbox or Google Drive you need to register for an API key and use it in your application to enable the API at runtime.

Do you have a simple but secure method to store such keys in the source code (and eventually in the binary) and avoid easy detection by 3rd party ?

Simple string seems not the best idea.
Code: 
NSString *apiKey = @"This is my secret key";   // ok in an ideal world; not so much in ours
 
You can try building your key at runtime instead as a NSMutableString property using an NSArray as the character source:

Code: 
@property (nonatomic, strong) NSMutableString *keyString;

NSArray *theSecret = @[@"y",@"e",@"k",@"h",@"t"];

self.keyString = [[NSMutableString alloc]init];
[self.keyString appendString:[theSecret objectAtIndex:4]];
[self.keyString appendString:[theSecret objectAtIndex:3]];
[self.keyString appendString:[theSecret objectAtIndex:1]];
[self.keyString appendString:[theSecret objectAtIndex:2]];
[self.keyString appendString:[theSecret objectAtIndex:1]];
[self.keyString appendString:[theSecret objectAtIndex:0]];

NSLog(@"%@",self.keyString);
 
Last edited:
Thanks; My simple brain was originally only considering bigger sub-strings; not single character-strings. Which makes your proposal better. :)
 
I think you're probably fine just sticking it right in your code. Someone looking through your compiled code wouldn't know one string from another, because the name of the string is thrown out at compile time. Plus you have to consider the kinds of things that could happen if your secret key was compromised... I don't feel like the consequences would really be severe enough to warrant going through effort to obfuscate it like troop231 suggested.

Wouldn't it be trivial for a user, if they so desired, to sniff the packets on their network and extract your API key? Even if it's encrypted, they could still record the encrypted key and play it back later (again, not sure what the issue would really be if a malicious person were able to do that).
 
Using https (at least after a recent iOS update) prevents packet sniffing of token credentials.

Basically, you need to deal with 2 types of token theft. For unsophisticated types, any type of obfuscation will work, even rot13, as these types usually only do a string search looking for stuff. And you should at least obfuscate your token to prevent your kid sister from running across it. Against sophisticated types, no source code storage is secure, as they can modify and single step your code to find the token just as it's created and/or sent.
 
IMO, if you're not doing some kind of banking app or the likes, then sticking API keys hard coded isn't a huge deal. The only real problem is that copy cat apps could come out and use your API and leach your resources.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back