1

I have few API keys in my Xcode project, for ex. google API keys, fabric key, contentful SDK key, etc.

I'm worried about those keys to be leaked from my build, Because they are not free versions, I've been paying according to it's usage.

I found on research that some people can do reverse engineering on IPA file (XCode build) and they can extract API keys from code/plist files, and use them.

Que-1. Is there a better way I can protect my all API keys?

Que-2. Is there other place to put my API keys, instead of .plist file.

Que-3. Does Firebase provide features to store all API keys to cloud and access them directly. if yes, please guide me.

Thanks for your help in advance.

Li Jin
  • 1,879
  • 2
  • 16
  • 23
BARS
  • 629
  • 1
  • 6
  • 18

1 Answers1

-15
  1. Hardcoded keys can not be extracted by Reverse Engineering. So, hardcode your API keys in your code
  2. Hardcoded keys can not be extracted by Reverse Engineering
  3. If you want, you can use Firebase Remote Config to store API keys on Firebase
Vaibhav Jhaveri
  • 1,579
  • 3
  • 28
  • 53
  • 6
    Any data that is embedded in the IPA, can be extracted by a malicious user. They can download the IPA from the phone, and then use any hex editor to find the keys. That's why secret keys should never be embedded in the code of the app, whether directly or by downloading them from an unprotected source (such as Firebase Remote Config). – Frank van Puffelen Jul 22 '19 at 14:20
  • 6
    I strongly disagree that hardcoded content cannot be extracted from a built executable, anytime something is put in a publicly released program, consider it compromised. For example, take a look at the ’strings’ command in the terminal. – Barnyard Jul 22 '19 at 14:36
  • 1
    This is not true. You can test it but creating simple IOS project, put something like let API = "ABCDEFG", inside viewDidLoad print(API), so the copiler doesn't remove unsued variable. After archiving the app, just unzip .ipa and look your executable in any hex editor. You will find API ABCDEFG inside it. – bojan Jul 22 '19 at 19:10