How to Hide API Keys in Github for iOS (Swift) Projects

How to hide API keys in GitHub for iOS (SWIFT) projects?

You can use a .plist file where you store all your important keys. It is very important to put this file into your .gitignore file.

In your case, you need to set your keys.plist file like this:
Sample Image

And use it inside your AppDelegate as follows:

    var keys: NSDictionary?

if let path = NSBundle.mainBundle().pathForResource("Keys", ofType: "plist") {
keys = NSDictionary(contentsOfFile: path)
}
if let dict = keys {
let applicationId = dict["parseApplicationId"] as? String
let clientKey = dict["parseClientKey"] as? String

// Initialize Parse.
Parse.setApplicationId(applicationId!, clientKey: clientKey!)
}

SWIFT 3 Update:

 if let path = Bundle.main.path(forResource: "Keys", ofType: "plist") {
keys = NSDictionary(contentsOfFile: path)
}

Should I use gitignore or your-api-key-here to hide api key on Github?

Typically, other individuals who download your code will need to acquire their own API key to make your project run (depending on how your project is setup). They will then add the API Key to their fork (as a secret) or local repository on their machine.

You can securely store your API key as a "Secret" in your GitHub repository by going to:

  1. Settings tab at top of your repo
  2. Secrets option near bottom of left-most column
  3. New Repository Secret
  4. Enter the variable name for your API Key in the Name field

example: SECRET_API_KEY


  1. Enter your API Key value into the Value field.
  2. Add Secret

Now you just need to ensure that your project references the SECRET_API_KEY variable.

Note: Other individuals will not be able to access this Secret. Only you, as repo owner, can access this key. Other developers will need to acquire their own API key and store it as a secret in their fork of your project.

Using a javascript file to store an API key needed in an Xcode project

I did what Chris G commented and created a JSON file, which I opened and parsed in my App Delegate. It worked.

FYI, don't forget to go to do Project > Build Phases > Copy Bundle Resources > +
in order to add the JSON file to your bundle so you can access it.

Best practice for storing and protecting private API keys in applications

  1. As it is, your compiled application contains the key strings, but also the constant names APP_KEY and APP_SECRET. Extracting keys from such self-documenting code is trivial, for instance with the standard Android tool dx.

  2. You can apply ProGuard. It will leave the key strings untouched, but it will remove the constant names. It will also rename classes and methods with short, meaningless names, where ever possible. Extracting the keys then takes some more time, for figuring out which string serves which purpose.

    Note that setting up ProGuard shouldn't be as difficult as you fear. To begin with, you only need to enable ProGuard, as documented in project.properties. If there are any problems with third-party libraries, you may need to suppress some warnings and/or prevent them from being obfuscated, in proguard-project.txt. For instance:

    -dontwarn com.dropbox.**
    -keep class com.dropbox.** { *; }

    This is a brute-force approach; you can refine such configuration once the processed application works.

  3. You can obfuscate the strings manually in your code, for instance with a Base64 encoding or preferably with something more complicated; maybe even native code. A hacker will then have to statically reverse-engineer your encoding or dynamically intercept the decoding in the proper place.

  4. You can apply a commercial obfuscator, like ProGuard's specialized sibling DexGuard. It can additionally encrypt/obfuscate the strings and classes for you. Extracting the keys then takes even more time and expertise.

  5. You might be able to run parts of your application on your own server. If you can keep the keys there, they are safe.

In the end, it's an economic trade-off that you have to make: how important are the keys, how much time or software can you afford, how sophisticated are the hackers who are interested in the keys, how much time will they want to spend, how much worth is a delay before the keys are hacked, on what scale will any successful hackers distribute the keys, etc. Small pieces of information like keys are more difficult to protect than entire applications. Intrinsically, nothing on the client-side is unbreakable, but you can certainly raise the bar.

(I am the developer of ProGuard and DexGuard)

How to hide API Keys in flutter and still be able for your team to use your code base?

If you add those two files in .gitignore (and that is debatable for google-services.json), you are making clear, as explained here that others who build your code that they should be setting up their own Firebase project to host its configuration and data (because your project simply won't build with that file missing)

Other approaches are explained in this issue

  • Leave those files there (with fake data), as they are.

    If you want to override them in local, you can do so and then use this command to ignore the changes:

      git update-index --assume-unchanged GoogleService-Info.plist
  • Convert those files to "example" files, and add the original ones to gitignore.

    A setup task should convert the example files into real files if the real ones don't exist.



Related Topics



Leave a reply



Submit