I am writing an iOS app which is using Firebase for the backend. If I use third party services that require an app secret or various credentials that I don't want to be hacked, is it a good idea to store these on Firebase? This way, they won't have to be hardcoded into the code, so they can't be reverse engineered. Is downloading the credentials and app secret from Firebase each time the app starts up a safe way to go? Can this data be intercepted?
Asked
Active
Viewed 31 times
0
-
If the credentials end up being used directly from the app, it is still not secure. Secrets and other server-side keys should be kept on a server. Any time you use them in a client, you put them at risk. Also see https://stackoverflow.com/questions/36419065/hide-3rd-party-api-key-with-firebase/36427472#36427472 and https://stackoverflow.com/questions/44403300/storing-api-keys-on-the-realtime-database-firebase/44409504#44409504 and https://stackoverflow.com/questions/30359439/how-can-i-securely-store-and-retrieve-api-keys-for-an-android-application-writt/30360124#30360124 – Frank van Puffelen Jul 02 '17 at 15:42
-
Of course server keys should stay in the server, but client API keys, Oauth secrets need to be in the app or be transferred to the app from the server. A good solution for this is CloudKit as you can store any app secret in the public database and only your app will have access to it. And communication is secure with apple servers. More info here http://developer.apple.com/icloud/cloudkit – derickito Feb 16 '18 at 22:52