Databases
StackOverflow2013
Postsdbo
POBest practices for securing API credentials as part of an iPhone app
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POBest practices for securing API credentials as part of an iPhone app
    primarykey
    data
    text
    <p>The apps that I build frequently have 'social media service' requirements; e.g.</p> <ol> <li>Twitter</li> <li>bit.ly</li> <li>Facebook</li> </ol> <p>For most of these services, I need to have an API key of some sort. I'm trying to work out the best way of including these API keys in the application binary. The desired level of security depends on the possible attacks that can be conducted by malicious attackers.</p> <h1>Twitter</h1> <ul> <li>I have an xAuth-enabled key and secret. Both need to be used by the iPhone app.</li> </ul> <h2>Fallout from attack</h2> <ul> <li>Malicious users could post twitter status updates masquerading as coming from my app. There is no twitter account to hijack and start posting status updates on.</li> </ul> <h1>bit.ly</h1> <ul> <li>I have a username, password and API key.</li> <li>To login to the website and access analytics, the username and password are required.</li> <li>To create links via the API, only the username and API key are required by my iPhone apps. The password will not be in the app in any form.</li> </ul> <h2>Fallout from attack</h2> <ul> <li>Malicious users could create links on my bit.ly account. They would need to do a separate attack to brute-force or otherwise gain the password to login to the account.</li> </ul> <p>For both of those services, the potential for harm doesn't seem too great. But for other services, it could be much worse.</p> <p>I can just define the API credentials as strings in the header or in-line in the code, but then it's vulnerable to someone using <strong>strings</strong> on the application to see what's in it.</p> <p>I could then start doing silly concatenation / xor-ing in the code to recreate the API key in memory, and the attacker would have to do a bit more work to recover any keys in the binary. My concern with that is that I'm not a cryptographer and would create an embarrassingly weak form of obfuscation there.</p> <p>What better suggestions do people have?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USjabley
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POBest practices for securing API credentials as part of an iPhone app
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POBest practices for securing API credentials as part of an iPhone app
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POBest practices for securing API credentials as part of an iPhone app
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload