Open in app

Sign in

Write

Sign in

Securing Secret Keys in iOS

Monica Rajendran
2 min readDec 2, 2019

--

Hi everyone, This is my first medium article 🥳. Your valuable suggestions are most welcome ✌.️

So let’s get started!!

As we develop an application it’s important to make sure that the secret keys are securely handled. Secret credentials like Api keys, SDK ids, access tokens or any such key should never be exposed in source control or in the .ipa file, as there are possibilities that these might easily tamper.

“So how do I store keys securely? Well!, Don’t save one 😉.”

I’m no expert here to say the best approach, but I’m going to share my way of implementation.

COCOAPODS-KEYS

Its a good security practice to keep production keys out of developer hands. CocoaPods-keys makes it easy to have per-user config settings stored securely in the developer’s keychain, and not in the application source.

Installation

$ gem install cocoapods-keys

Usage

List all the keys that you need in the podfile.

plugin 'cocoapods-keys', {
  :project => "MyApplication",
  :keys => [
    "ApiClientSecret",
    "ApiClientKey",
    ...
  ]}

After adding the keys in the podfile, run pod install. It will ask for the values for each key that you mentioned in the podfile. Once done, the values are stored under the OS X keychain. This is mainly per-developer environment. So even if any of your teammates install pods for the first time on their machine, it will ask for the secret keys since no keys are found in their keychain. This works well in both development as well as production. In this way, your keys are not stored in the source control but securely stored under the keychain. As we all know, the keychain is one of the best and secure ways of storing sensitive data.

As soon as the pod has been installed, an obj-c class is created. This class holds the keys that we specified and stores them under the folder Pods/CocoaPodsKeys. You can now import the Keys module and use these secret keys in your code. Make sure to add Pods/CocoaPodsKeys in your .gitignore file to avoid tracking 😇.

import Keys let keys = MyApplicationKeys()
ApiService.fetchUser(keys.apiClientSecret)

Isn’t it awesome that the secrets are neither stored in the version control nor in the code 🥳. This method works well with continuous integration as well. You can enter values for these keys as environment variables in your CI tool, since the pod will look for an environment var with the same string before looking in the keychain.

Reference:

orta/cocoapods-keys

A key value store for enviroment and application keys. Its good security practice to keep production keys out of…

github.com

https://nshipster.com/secrets/

Please drop your suggestions in the comments! Thanks and Happy Coding! 👩‍💻

IOS
Securekey
Secrets
Cocoapods
Keys

--

--

Monica Rajendran
Monica Rajendran

Written by Monica Rajendran

31 Followers
68 Following

iOS Dev

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams