1

In my application i store a key the encrypts and decrypts data, it is stored as a string define

#define ClientSecret @"123456"

This value is easy accessible when the app is decompiled... How to protect it at the best extend?

The value doesn't needs to be a define... is there some recommended approach to ensure safety of such values, which are hard lined in code?

This question goes both for iOS and OSX

Peter Lapisu
  • 19,915
  • 16
  • 123
  • 179
  • this is Objective-C related, not .Net – Peter Lapisu Apr 29 '16 at 10:55
  • 1
    Neither is the possible duplicate. It's C++. Also, the concepts discussed in the answers, especially the second one, apply to _all_ executables regardless of the language they were written in. – dandan78 Apr 29 '16 at 10:58
  • but i want an Objective-C related answer, like mortgy provided, not general talk – Peter Lapisu Apr 29 '16 at 12:14
  • The answer in the duplicate answer says it all. In short, don't do it this way. You are creating just an illusion of security, not real security (*security through obscurity*) – Sulthan Apr 29 '16 at 20:23

1 Answers1

1

UAObfuscatedString may help hide your keys. But at some point the secret value will have to be available. E.g. if your secret is an API key, it will have to be passed to that API and somebody could set a breakpoint on the API call and read the value there.

NSGod
  • 22,699
  • 3
  • 58
  • 66
Pierre Bernard
  • 3,148
  • 2
  • 23
  • 31
  • 1
    I changed the link to what I think you probably intended, though you could double check... – NSGod Apr 29 '16 at 19:46
  • I would watch out for UAObfuscated string, it's open source a malicious user can find UAObfuscatedString's code put breakpoints in each method and see the order of calls. I'd check on this instead: http://www.splinter.com.au/2014/09/16/storing-secret-keys/ – Þorvaldur Rúnarsson Sep 19 '16 at 13:15