Where to store API keys on Swift?

T

4

26

I have a bunch of API keys and secrets (Stripe, Cloudinary etc), that are currently hard coded in my app. Where is the right place to store them? Should they be in the server, and I just store the server URL at my end (so that if the keys changes, the app continues to work)?

for example, I have this in my app delegate file:

    func configureStripe(){
            STPPaymentConfiguration.sharedConfiguration().publishableKey = "pk_test_1234rtyhudjjfjjs"         

STPPaymentConfiguration.sharedConfiguration().appleMerchantIdentifier = "merchant.com.myapp"
    }

Treiber answered 18/2, 2017 at 5:14 Comment(3)

Yes secret keys should definitely only be on your server and never ever in client side code. – Splashdown 18/2, 2017 at 5:34

If you want to store them in client side, I believe using a library like SSKeyChain will be helpful – Sumptuary 18/2, 2017 at 5:42

I'm not sure about Cloudinary but with Stripe the key you are using on the client is a publishableKey. It is not something that is considered secure by stripe for any interactions with their API. That's why you need to do everything from a server using your other private key. Never store anything private client side but if its absolutely necessary don't hardcode it in app or store in plist. An option is making a network request from your app to your backend to get key, use SSL, and store in keychain. Still not totally secure but should do for anything not majorly sensitive. – Musette 18/2, 2017 at 5:45

U

4

There are many tools to store secret keys.

If personal project, I typically go with xccconfig and just ignore that file in git but with teams this can be quite hard.

Unconscious answered 22/10, 2020 at 9:2 Comment(0)

B

1

First of all you need to keep in mind that every piece of code that you deliver with you app will be possible to obtain by the attacker. Any kind of obfuscation won't protect it and only make the attack more expensive and time consuming.

Therefore you shouldn't keep any sensitive keys or secrets in the source code. You need to think of server side solution for storing secrets. The server side solution would stand between your app and the API that you are actually gonna call.

Bigotry answered 20/9, 2020 at 23:23 Comment(0)

N

-1

I would say to store it in .pinfolist and don't upload the file to Git

Noonan answered 11/2, 2023 at 7:10 Comment(0)

S

-3

In the case of Stripe, it doesn't matter so much as Stripe was designed with this in mind, so much so they take financial responsibility with PCI compliance. They have more complex methods of authenticating a user and limiting access.

Shepard answered 24/6, 2018 at 12:18 Comment(2)

I feel like this should be the norm for APIs since today for most other APIs, the client is responsible for using the secrets securely... – Calais 17/9, 2019 at 7:0

even though they are PCI compliance but you should care your API key so no one use your key. – Huck 9/5, 2020 at 9:38

Recommended topics

Hot tags