0

I have to call payment gateway API from iOS code. Problem is it needs merchant credentials and I feel insecure embedding the merchant credentials in code. If someone somehow reverse engineer the code and get the credentials then the client is dead. Any advice?

I found this post Does Apple modify iOS application executables on apps submitted to the App Store? which says that app binaries are encrypted by Apple be default. Does it mean I can safely embed the credentials in code?

Community
  • 1
  • 1
Rizwan Yousuf
  • 13
  • 1
  • 4
  • No. Never ever embed critical resources in unencrypted code (strings, plists). Not only are plists simple bundle resources (e.g. Not encrypted), but the dynamic nature of Objective-C code means that it can be reverse-engineered easily. That combined with the fact that `const NSStrings*` are cached **at the binary level**. – CodaFi Oct 24 '12 at 13:22
  • What do you suggest then? Shall I encrypt the credentials and put them in plist file. Assuming that encryption algo and key is in the code and is safe because binary is encrypted and signed by apple and classes can not be reverse engineered. OR something else? – Rizwan Yousuf Oct 24 '12 at 14:03
  • There is not really a way to embed credentials in such a way that they cannot be recovered by someone who is determined to get them. I have also seen people think that transmitting secrets with HTTPS will keep them safe, but it's not true, as you can use a proxy such as Charles, which lets you record the network traffic (you have to install a certificate on the device so it trusts the proxy). – Chris Lundie Oct 24 '12 at 15:18

1 Answers1

2

NO! Instead of adding the credentials to iOS app you should think about setting up a server which handles the interaction with the API, you are talking about, and let the app only interact with your server. So you can store the API key on your server and can limit whats possible by the user on server side (which will be much harder to abuse).

miho
  • 11,765
  • 7
  • 42
  • 85
  • 2
    Doesn't this just kick the can down the road? How do you then ensure your app is the only thing that can make requests to this new server in the mix? – Sam Yates Jun 13 '13 at 19:48
  • No. If you get the API key for the service you are able to do everything which is possible with the service. If you store the key on the server, the server software can limit what is possible to do. If your service also uses authentication you can also find out when somebody tries to abuse your service. – miho Jun 19 '13 at 11:30
  • Good points. This seems like a good risk mitigation particularly for a service that grants "blanket" keys where you can literally do any operation that user may be authorized to do, when in fact your app really only needs to perform a subset of those. – Sam Yates Aug 05 '13 at 23:45