3

I'm writing an iPhone app that integrates with third party APIs. These APIs use OAuth (key/secret specific to my app not per user) in order to authenticate which app the request is being made in behalf of.

Is it secure (or how secure) is it to simply put the key/secret in code? Can this sort of data be reverse-engineered? Is there a better way to go about including this data in a project?

pschang
  • 2,568
  • 3
  • 28
  • 23
  • 1
    *Anything* in the code can be reverse engineered, usually quite easy. Besides, the traffic can be monitored and your key, used by every device running your app out there, can be found in a matter of seconds. With those keys, any script kiddie can bombard your service with requests and you won't be able to distinguish legit calls from 'pranks' (not to say abuse). Once the word gets out that 'here, this key can be sued to post tweets on behalf of this app', then the spammers and 'marketers' will quickly start pouring cheap Viagra adds down that channel... – Remus Rusanu Oct 26 '10 at 23:59

3 Answers3

3

There is no place on the iPhone to hide data. A user with a jailbroken iPhone has more control over the device than any developer. If possible you should setup a web service such as a REST or SOAP service to take care of these OAuth transactions on behalf of the client.

rook
  • 66,304
  • 38
  • 162
  • 239
  • How do licensed users of the application retain access to use the application once the operator of the REST or SOAP service no longer has the financial resources to continue to operate said service? – Damian Yerrick Jul 18 '21 at 17:42
2

As Rook said earlier, there is no way to hide your data in iPhone. But you can make hacker job so difficult. I just done a work around for the same issue.

Encryption flow

  1. Put oAuth key information in PLIST
  2. Mannually I encrypt this PLIST by using AES key and I got encrypted "CIPHER TEXT"
  3. Modify the AES key by appending characters in between with your own logic. Since it required at runtime to decrypt the plist
  4. Add this modified key with plist "CIPHER TEXT" and store this value in New plist.
  5. Remove old plist which has oAuth information

Now you have only one plist which has encrypted value with modified KEY

Advantage:

  1. Hacking is so difficult since hacker don't have a proper cipher text in plist

  2. To hack this code they should know to separate Modified AES key from Cipher text.

  3. Thou they found Modified AES key, they don't have any clue about the appending algorithm, here i simple used EVEN position of the character, but you can't modify this and you can take 3rd or 4th position of the character. Which is actually will differ for each developer

for more information please visit below link;

https://sites.google.com/site/greateindiaclub/mobil-apps/ios/securelystoringoauthkeysiniosapplication

Boobalan
  • 815
  • 11
  • 11
-2

I'd suggest looking into the Keychain services provided by Apple

http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html

Chris Wagner
  • 20,773
  • 8
  • 74
  • 95