Skip to main content

Storing sensitive data in iOS Apps


One way that doesn't work: Using environment variablesโ€‹

  • If you click the app name from the top bar in Xcode, you can edit scheme.

edit scheme

edit scheme
  • You can try settings values at Run โ†’ Arguments โ†’ Environment Variables and access them through ProcessInfo.processInfo.environment["KEY"].



One possible but unsafe way: xcconfigโ€‹

  • Create .xcconfig and add them to app build settings.
  • Is it safe? No!

Another possible buy unsafe way: .gitignoreโ€‹

  • I just made a .gitignore that ignores all *Credentials.swift file.
  • Is it safe? No!
  • However, I am using LinkedIn API that makes a network request.
  • Anyone who will take the effort to decompile the app and extract the API key data will attack the network request and extract the key.
  • I concluded security beyond not disclosing them through the source control system is meaningless for my use case.

One possible and safe way: Secure Enclaves.โ€‹

Another possible (and probably the correct) wayโ€‹

  • Just don't store that level of sensitive information on the client.

Another another possible way that might be worth exploringโ€‹

Advanced Readingsโ€‹