1

The answer proposed in Embed API credentials in iOS code is not an option for me.

My app communicates with a back-end SOAP API over HTTPS. My API credentials are sent in every request.

I don't have control over the server implementation, so I'm not able to add an intermediary authentication server and migrate to a token-based implementation.

Because I have to embed my credentials with my app's binary (I understand that this is far from ideal, on principle), i am looking for best practices to make my credentials as secure as is possible.

From what I've read, I've gathered:

  • Don't include credentials in an external file (such as a .plist)
  • Don't include credentials as simple NSString * const declarations. (Is using a char * safer?)
  • Don't do something obvious, like put my credentials in an Objective-C singleton called AuthenticationKeyManager

I also saw this article: http://applidium.com/en/news/securing_ios_apps_debuggers/
=> tldr: add release-mode code in the main.m to prevent the app from running if a debugger is attached

Note: I am able to implement SSL pinning.

Are there any other measures I can take to safeguard my access credentials?

Community
  • 1
  • 1
Matt H.
  • 10,438
  • 9
  • 45
  • 62

1 Answers1

0

There is described how create and use encrypted plist: http://aptogo.co.uk/2010/07/protecting-resources/

But aes key from it is stored in static NSString *sharedKey;

Cy-4AH
  • 4,370
  • 2
  • 15
  • 22