I have few API keys in my Xcode project, for ex. google API keys, fabric key, contentful SDK key, etc.
I'm worried about those keys to be leaked from my build, Because they are not free versions, I've been paying according to it's usage.
I found on research that some people can do reverse engineering on IPA file (XCode build) and they can extract API keys from code/plist files, and use them.
Que-1. Is there a better way I can protect my all API keys?
Que-2. Is there other place to put my API keys, instead of .plist file.
Que-3. Does Firebase provide features to store all API keys to cloud and access them directly. if yes, please guide me.
Thanks for your help in advance.
Hardcoded keys can not be extracted by Reverse Engineering. So, hardcode your API keys in your code
Hardcoded keys can not be extracted by Reverse Engineering
If you want, you can use Firebase Remote Config to store API keys on Firebase
Related
In our Stream Analytics Job we have some constant values that are required for further computations. Those are considered "secret" by our customer, so it would be good to not have them set directly in the Query or the User Defined Function we're using. Is there any best practice how to deal with these, e.g. can we somehow retrieve these values from Azure Key Vault?
Unfortunately, Azure Stream Analytics don’t support Azure Key Vault bindings.
I would suggest you to vote up an idea submitted by another Azure customer.
https://feedback.azure.com/forums/270577-stream-analytics/suggestions/35328418-enhance-security-for-asa-managed-services-identit
https://feedback.azure.com/forums/270577-stream-analytics/suggestions/40530247-azure-key-vault-as-reference-data-input
All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
You could try to see if Reference Data option in Stream Analytics could be the place where you store the constants and update often. If the concern is about having control over how your queries get encrypted while using ASA, you can use your own storage account to store all private data assets related to the job. And then encrypt your storage account in whatever approach you see fit.
Any idea if store and retrieval (export the symmetric key out of keyvault) of symmetric keys is supported in Azure Kev vault or possible? I referenced Azure Keyvault documents here and it mentions the Symmetric keys are not supported and may be supported in future (not sure though if the documentation I read is current).
If it’s not supported, is there a way to simulate this using other interfaces like Secrets? Could you share a sample code to do this using Azure Keyvault REST API?
You are right about storing the symmetric keys as secrets.
REST API
Here is a detailed article around the code involved to do this using REST API
http://thuansoldier.net/7329/
.NET SDK
Here is the nuget package
https://www.nuget.org/packages/Microsoft.Azure.KeyVault/
You can use the KeyVaultClient class and GetSecretAsync method.
Here is an example on Microsoft Docs - https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
Similar SDKs are available for Node.js, Java and Python
I am currently developing a iOS app using Swift 4.1.
As my app involves the Twitter REST API, I need to provide the consumer key and consumer secret in one of my classes. (i.e developer's consumer key and secret, users DO NOT need to generate their own key)
Would like to know if it is safe to store the consumer key and consumer secret in the code or do I need to store them somewhere else?
Generally speaking, if it's valuable enough, any secret will eventually be compromised. The trick is to make it harder to steal than the benefit that would result from stealing it.
Specifying your API key as a string constant is a pretty bad idea. A hacker with access to the binary or intermediate bitcode could extract strings from the binary and look for high entropy constants which are likely candidates to be API key values.
Be careful, it is also very easy to store your secret in your git repository and accidentally publish it for the world to see.
As an improvement, consider obfuscating the API key in your code and computing the actual key value at runtime. For example, use a simple exclusive-or mask:
MaskedApiKey = OriginalApiKey XOR Mask
OriginalApiKey = MaskedApiKey XOR Mask
Store the MaskedApiKey and Mask in your code, and combine them at runtime to restore the OriginalApiKey. Now an attacker needs to grab two constants from your code to steal the API key. You can extend this technique to make it arbitrarily obfuscated at runtime. The logical extension of this is white box encryption
A secret is even harder to steal if it is never stored in your code in the first place. So, an alternative technique is to store the API key in an external secrets service off your app. By registering your app with the secrets service, the service can attest that the app is authentic and untampered and provide your app the API key at run time. See Mobile API Security toward the end of the article for an example.
Of course, none of this matters if your API call is made in the clear and is easily observed by a Man in the Middle (MitM) attack. Always make your API calls using TLS
(HTTPS) strengthened by certificate pinning.
Take a look at this OWASP talk for a quick overview of mobile API security.
I'm creating an app using yodlee api, so far everything good, but right now, I'm having this block related to the PKI feature of yodlee. I'm not able to encrypt the data using "RSA/ECB/PKCS1Padding" as they request, all I found so far are java examples, anyone with a snippet of code, or a reference to make this possible on ruby?
I guess you are referring to this manual to integrate Yodlee API with PKI feature.
Have a look into the ruby's OpenSSL classes. Encryption using RSA is possible with the OpenSSL::PKey::RSA class, see also this intro doc. Basically you have to load the public key returned from the API, and use the public_encrypt method to encrypt the data and hex-encode it in the end. The encryption uses the PKCS1_PADDING by default which is just what you want.
A complete example is available in this SO answer.
I'm developing for iOS and I need to make requests to certain APIs using an API key and a secret. However, I wouldn't like for it to be exposed in my source code and have the secret compromised when I push to my repository.
What is the best practice for this case? Write it in a separate file which I'll include in .gitignore?
Thanks
Write it in a separate file which I'll include in .gitignore?
No, don't write it ever.
That means:
you don't write that secret within your repo (no need to gitignore it, or ot worry about adding/committing/pushing it by mistake)
you don't write it anywhere on your local drive (no need to worry about your computer stolen with that "secret" on it)
Store in your repo a script able to seek that secret from an external source (from outside of git repo) and load it in memory.
This is similar to a git credential-helper process, and that script would launch a process listening to localhost:port in order to serve that "secret" to you when you whenever you need it in the current session only.
Once the session is done, there is no trace left.
And that is the best practice to manage secret data.
You can trigger automatically that script on git checkout, if you declare it in a .gitattributes file as a content filter:
This is a very old question, but if anyone is seeing this in google I would suggest you try CloudKit for storing any App secrets (API keys, Oauth secrets). Only your app can access your app container and communication between Apple and your app is secure.
You can check it out here.