Storing sensitive data in iOS Apps
One way that doesn't work: Using environment variablesโ
- If you click the app name from the top bar in Xcode, you can
edit scheme
.
- You can try settings values at Run โ Arguments โ Environment Variables and access them through
ProcessInfo.processInfo.environment["KEY"]
.
However, this didn't work for me. Refer to this problem on Stack Overflow.
ProcessInfo.processInfo.environment variables work in Simulator but not on Device
One possible but unsafe way: xcconfig
โ
- Create
.xcconfig
and add them to app build settings. - Is it safe? No!
Another possible buy unsafe way: .gitignore
โ
- I just made a
.gitignore
that ignores all*Credentials.swift
file. - Is it safe? No!
- However, I am using LinkedIn API that makes a network request.
- Anyone who will take the effort to decompile the app and extract the API key data will attack the network request and extract the key.
- I concluded security beyond not disclosing them through the source control system is meaningless for my use case.
One possible and safe way: Secure Enclaves.โ
- What is a Secure Enclave? (Apple)
- Storing Keys in the Secure Enclave (Apple)
- Deploy the app without a secret key.
- Access your server, download the information via HTTPS, and save it to the iOS secure enclave whenever you need the key.
- But do you really want this layer of complexity?
Another possible (and probably the correct) wayโ
- Just don't store that level of sensitive information on the client.
Another another possible way that might be worth exploringโ
Using Keychain Manager.
However, these are meant for storing personal sensitive data like usernames and passwords.
I am unsure if I can store data in Keychain without exposing it to the end-user or application (
.ipa
) file.