21

I have a bunch of API keys and secrets (Stripe, Cloudinary etc), that are currently hard coded in my app. Where is the right place to store them? Should they be in the server, and I just store the server URL at my end (so that if the keys changes, the app continues to work)?

for example, I have this in my app delegate file:

    func configureStripe(){
            STPPaymentConfiguration.sharedConfiguration().publishableKey = "pk_test_1234rtyhudjjfjjs"         

STPPaymentConfiguration.sharedConfiguration().appleMerchantIdentifier = "merchant.com.myapp"
    }
Prabhu
  • 12,995
  • 33
  • 127
  • 210
  • 1
    Yes secret keys should definitely only be on your server and *never ever* in client side code. – l'L'l Feb 18 '17 at 05:34
  • If you want to store them in client side, I believe using a library like `SSKeyChain` will be helpful – KrishnaCA Feb 18 '17 at 05:42
  • 5
    I'm not sure about Cloudinary but with Stripe the key you are using on the client is a publishableKey. It is not something that is considered secure by stripe for any interactions with their API. That's why you need to do everything from a server using your other private key. Never store anything private client side but if its absolutely necessary don't hardcode it in app or store in plist. An option is making a network request from your app to your backend to get key, use SSL, and store in keychain. Still not totally secure but should do for anything not majorly sensitive. – JustinM Feb 18 '17 at 05:45

4 Answers4

4

There are many tools to store secret keys.

  1. https://nshipster.com/secrets/
  2. https://www.freecodecamp.org/news/how-to-securely-store-api-keys-4ff3ea19ebda/

If personal project, I typically go with xccconfig and just ignore that file in git but with teams this can be quite hard.

Tim
  • 215
  • 1
  • 3
  • 12
1

First of all you need to keep in mind that every piece of code that you deliver with you app will be possible to obtain by the attacker. Any kind of obfuscation won't protect it and only make the attack more expensive and time consuming.

Therefore you shouldn't keep any sensitive keys or secrets in the source code. You need to think of server side solution for storing secrets. The server side solution would stand between your app and the API that you are actually gonna call.

Patryk Budzinski
  • 181
  • 3
0

I would say to store it in .pinfolist and don't upload the file to Git

Marlhex
  • 1,870
  • 19
  • 27
-3

In the case of Stripe, it doesn't matter so much as Stripe was designed with this in mind, so much so they take financial responsibility with PCI compliance. They have more complex methods of authenticating a user and limiting access.

David J
  • 1,018
  • 1
  • 9
  • 14
  • I feel like this should be the norm for APIs since today for most other APIs, the client is responsible for using the secrets securely... – alexisSchreier Sep 17 '19 at 07:00
  • even though they are PCI compliance but you should care your API key so no one use your key. – Rehan Ali May 09 '20 at 09:38