SA
Skip to main content

Storing sensitive data in iOS Apps

2022-04-26

One way that doesn't work: Using environment variables

  • If you click the app name from the top bar in Xcode, you can edit scheme.

edit scheme

edit scheme
  • You can try settings values at Run → Arguments → Environment Variables and access them through ProcessInfo.processInfo.environment["KEY"].

ProcessInfo.processInfo.environment["KEY"]

ProcessInfo.processInfo.environment["KEY"

One possible but unsafe way: xcconfig

  • Create .xcconfig and add them to app build settings.
  • Is it safe? No!

Another possible buy unsafe way: .gitignore

  • I just made a .gitignore that ignores all *Credentials.swift file.
  • Is it safe? No!
  • However, I am using LinkedIn API that makes a network request.
  • Anyone who will take the effort to decompile the app and extract the API key data will attack the network request and extract the key.
  • I concluded security beyond not disclosing them through the source control system is meaningless for my use case.

One possible and safe way: Secure Enclaves.

Another possible (and probably the correct) way

  • Just don't store that level of sensitive information on the client.

Another another possible way that might be worth exploring

Advanced Readings