Forem: Mateusz Siatrak The latest articles on Forem by Mateusz Siatrak (@msiatrak). https://forem.com/msiatrak https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1282022%2F09ec0066-0d5e-4e2c-819e-3d3f7eb5341b.png Forem: Mateusz Siatrak https://forem.com/msiatrak en Securing API Keys in SwiftUI: A Practical Guide (Intro) Mateusz Siatrak Fri, 16 Feb 2024 09:00:00 +0000 https://forem.com/msiatrak/securing-api-keys-in-swiftui-a-practical-guide-intro-3f91 https://forem.com/msiatrak/securing-api-keys-in-swiftui-a-practical-guide-intro-3f91 <p>In a world where mobile apps frequently interact with web services, securing API keys has become a paramount concern for developers. As someone who has experienced the repercussions of stolen keys firsthand, I've learned that the traditional method of storing API keys in <code>.xcconfig</code> files and injecting them into the <code>Info.plist</code> at build time is not foolproof. While the method keeps API keys out of the source code, it does little to prevent bad actors from reading them in plain text from the <code>plist</code>. </p> <p>In this article, we will explore different methods to secure API keys in SwiftUI apps, examining their effectiveness both in protecting keys from appearing in the source control and in making it harder for attackers to extract keys.</p> <h2> Methods of Securing API Keys </h2> <h3> Method 1: Storing Keys in <code>.plist</code> Files </h3> <p>Traditionally, developers would inject API keys into <code>Info.plist</code> using <code>.xcconfig</code> files which are not checked into source control.</p> <ul> <li> <strong>Source Control</strong>: ✅ (API keys are not checked into source)</li> <li> <strong>Extraction Difficulty</strong>: ❌ (It's easy for bad actors to extract plain text keys)</li> </ul> <h3> Method 2: Server Retrieval and Secure Storage </h3> <p>Retrieve the API Key from a server at runtime and securely store it in the Keychain.</p> <ul> <li> <strong>Source Control</strong>: ✅ (API keys are not checked into source)</li> <li> <strong>Extraction Difficulty</strong>: ✅ (More difficult for attackers with encrypted transmission and Keychain storage)</li> </ul> <h3> Method 3: Obfuscating Keys </h3> <p>Obfuscate the API key by splitting, encoding, or adding dummy code to confuse decompilers.</p> <ul> <li> <strong>Source Control</strong>: ✅ (API keys are not checked into source if obfuscation is done at build time)</li> <li> <strong>Extraction Difficulty</strong>: ⚠️ (Increases difficulty but not foolproof)</li> </ul> <h3> Method 4: GYB Technique with Custom Salt </h3> <p>Utilize Swift GYB (Generate Your Boilerplate) to obfuscate keys with every build using a custom salt.</p> <ul> <li> <strong>Source Control</strong>: ✅ (API keys are not checked into source and are obfuscated in source code)</li> <li> <strong>Extraction Difficulty</strong>: ✅ (Higher difficulty, as keys change with every build)</li> </ul> <h3> Method 5: CloudKit Key Management </h3> <p>Use CloudKit to distribute keys to all app users and store them in the Keychain.</p> <ul> <li> <strong>Source Control</strong>: ✅ (API keys are not included in source code)</li> <li> <strong>Extraction Difficulty</strong>: ✅ (Stored securely in the Keychain with CloudKit's security)</li> </ul> <h3> More Detailed Pros and Cons </h3> <p>Here's a closer look at the pros and cons of each approach:</p> <h4> <code>.plist</code> Injection via <code>.xcconfig</code> </h4> <ul> <li> <strong>Pros</strong>: Easy to implement; keeps keys out of source control.</li> <li> <strong>Cons</strong>: Does not protect against binary inspection; plist files can easily be read.</li> </ul> <h4> Server Retrieval and Keychain Storage </h4> <ul> <li> <strong>Pros</strong>: Secure storage; keys are not bundled with the app; Keychain provides encryption.</li> <li> <strong>Cons</strong>: Dependent on network availability; initial setup may be complex.</li> </ul> <h4> Obfuscating Keys </h4> <ul> <li> <strong>Pros</strong>: Provides a basic level of security; relatively simple to implement.</li> <li> <strong>Cons</strong>: Can be reversed by skilled attackers; adds maintenance overhead.</li> </ul> <h4> GYB with Custom Salt </h4> <ul> <li> <strong>Pros</strong>: Creates unique obfuscations with each build; more advanced protection technique.</li> <li> <strong>Cons</strong>: Requires understanding of GYB tooling; may be complex for new developers.</li> </ul> <h4> CloudKit Key Management </h4> <ul> <li> <strong>Pros</strong>: Removes keys from code; leverages Apple’s security for transfer and storage.</li> <li> <strong>Cons</strong>: Dependent on CloudKit uptime and user iCloud accounts; initial learning curve.</li> </ul> <h2> Example Using CloudKit for Key Management </h2> <p>One effective way to manage API keys is through CloudKit by storing the key securely on Apple's servers and distributing it to authenticated users of your app. Here’s a basic implementation of how you can store and retrieve an encrypted API key using CloudKit and save it in the Keychain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">import</span> <span class="kt">CloudKit</span> <span class="kd">import</span> <span class="kt">KeychainAccess</span> <span class="kd">class</span> <span class="kt">APIKeyManager</span> <span class="p">{</span> <span class="kd">private</span> <span class="k">let</span> <span class="nv">container</span> <span class="o">=</span> <span class="kt">CKContainer</span><span class="o">.</span><span class="nf">default</span><span class="p">()</span> <span class="kd">private</span> <span class="k">let</span> <span class="nv">keychain</span> <span class="o">=</span> <span class="kt">Keychain</span><span class="p">(</span><span class="nv">service</span><span class="p">:</span> <span class="s">"com.yourapp.service"</span><span class="p">)</span> <span class="kd">func</span> <span class="nf">retrieveAPIKey</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">publicDB</span> <span class="o">=</span> <span class="n">container</span><span class="o">.</span><span class="n">publicCloudDatabase</span> <span class="k">let</span> <span class="nv">predicate</span> <span class="o">=</span> <span class="kt">NSPredicate</span><span class="p">(</span><span class="nv">value</span><span class="p">:</span> <span class="kc">true</span><span class="p">)</span> <span class="k">let</span> <span class="nv">query</span> <span class="o">=</span> <span class="kt">CKQuery</span><span class="p">(</span><span class="nv">recordType</span><span class="p">:</span> <span class="s">"APIKeys"</span><span class="p">,</span> <span class="nv">predicate</span><span class="p">:</span> <span class="n">predicate</span><span class="p">)</span> <span class="n">publicDB</span><span class="o">.</span><span class="nf">perform</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="nv">inZoneWith</span><span class="p">:</span> <span class="kc">nil</span><span class="p">)</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="p">(</span><span class="n">records</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="k">in</span> <span class="k">if</span> <span class="k">let</span> <span class="nv">record</span> <span class="o">=</span> <span class="n">records</span><span class="p">?</span><span class="o">.</span><span class="n">first</span><span class="p">,</span> <span class="k">let</span> <span class="nv">encryptedKey</span> <span class="o">=</span> <span class="n">record</span><span class="p">[</span><span class="s">"encryptedKey"</span><span class="p">]</span> <span class="k">as?</span> <span class="kt">String</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">apiKey</span> <span class="o">=</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="nf">decryptKey</span><span class="p">(</span><span class="nv">encryptedApiKey</span><span class="p">:</span> <span class="n">encryptedKey</span><span class="p">)</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="n">keychain</span><span class="p">[</span><span class="s">"apiKey"</span><span class="p">]</span> <span class="o">=</span> <span class="n">apiKey</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">private</span> <span class="kd">func</span> <span class="nf">decryptKey</span><span class="p">(</span><span class="nv">encryptedApiKey</span><span class="p">:</span> <span class="kt">String</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kt">String</span> <span class="p">{</span> <span class="c1">// Implement your decryption logic here</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> GYB with Obfuscation and Custom Salts </h2> <p>The GYB (Generate Your Boilerplate) tool is a powerful Python script that can preprocess Swift files to generate Swift code. It's particularly useful when you need to create repetitive code or, as in this case, when you want to obfuscate values like API keys before compile time. We'll expand upon how to use GYB to create an obfuscated API key, how to integrate it into your build process and decode the key in the SwiftUI app.</p> <h3> Preparing the GYB Template </h3> <p>You'll first want to create a <code>.gyb</code> file that contains Python code for obfuscation logic. Create a file named <code>APIKey.swift.gyb</code> and save it in your Xcode project directory, preferably in a folder that also contains an Xcode group for clarity.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># APIKey.swift.gyb </span><span class="o">%</span><span class="p">{</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># Generate a random salt </span><span class="n">salt</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">urandom</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> <span class="n">encoded_key</span> <span class="o">=</span> <span class="sh">''</span><span class="p">.</span><span class="nf">join</span><span class="p">([</span><span class="sa">f</span><span class="sh">'</span><span class="se">\\</span><span class="s">x</span><span class="si">{</span><span class="n">b</span><span class="si">:</span><span class="mi">02</span><span class="n">x</span><span class="si">}</span><span class="sh">'</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="sh">'</span><span class="s">Your-API-Key</span><span class="sh">'</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)])</span> <span class="p">}</span><span class="o">%</span> <span class="o">//</span> <span class="n">Your</span> <span class="n">Swift</span> <span class="nb">file</span> <span class="n">contents</span> <span class="n">enum</span> <span class="n">APIKeys</span> <span class="p">{</span> <span class="n">static</span> <span class="n">let</span> <span class="n">obfuscatedKey</span><span class="p">:</span> <span class="n">String</span> <span class="o">=</span> <span class="sh">"</span><span class="s">${encoded_key}</span><span class="sh">"</span> <span class="n">static</span> <span class="n">let</span> <span class="n">salt</span><span class="p">:</span> <span class="p">[</span><span class="n">UInt8</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="o">%</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">salt</span> <span class="o">%</span><span class="p">]</span><span class="err">$</span><span class="p">{</span><span class="nf">hex</span><span class="p">(</span><span class="n">b</span><span class="p">)},[</span><span class="o">%</span> <span class="n">end</span> <span class="o">%</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h4> Running GYB to Generate Swift Code </h4> <p>GYB needs to be executed as part of the build process before compiling your Swift code.</p> <ol> <li>Download <code>gyb.py</code> from the <a href="https://github.com/apple/swift/blob/main/utils/gyb.py">Swift repository</a> or install it using Homebrew: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> brew <span class="nb">install </span>gyb </code></pre> </div> <ol> <li>Add a Run Script build phase in Xcode to your target: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cd $SRCROOT gyb --line-directive '' -o APIKeys.swift APIKey.swift.gyb </code></pre> </div> <p>This script navigates to the source root of your Xcode project, runs <code>gyb</code>, and outputs an <code>APIKeys.swift</code> file. The <code>--line-directive</code> option removes line directives from the output, making the resultant Swift file cleaner.</p> <h4> Decoding the Key in SwiftUI </h4> <p>Now your app needs to decode this obfuscated key at runtime before using it. The decoding process—in this case, simply reversing the obfuscation—would be applied in the app's source-code when the key is required.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="c1">// APIKeys.swift (Generated by GYB)</span> <span class="kd">enum</span> <span class="kt">APIKeys</span> <span class="p">{</span> <span class="kd">static</span> <span class="k">let</span> <span class="nv">obfuscatedKey</span><span class="p">:</span> <span class="kt">String</span> <span class="o">=</span> <span class="s">"</span><span class="err">\</span><span class="s">x68</span><span class="err">\</span><span class="s">x65</span><span class="err">\</span><span class="s">x6c</span><span class="err">\</span><span class="s">x6c</span><span class="err">\</span><span class="s">x6f"</span> <span class="kd">static</span> <span class="k">let</span> <span class="nv">salt</span><span class="p">:</span> <span class="p">[</span><span class="kt">UInt8</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0xae</span><span class="p">,</span> <span class="mh">0xbf</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="o">...</span><span class="p">]</span> <span class="c1">// Randomly generated each build</span> <span class="p">}</span> <span class="c1">// Your Swift file where you're decoding the key</span> <span class="kd">class</span> <span class="kt">APIManager</span> <span class="p">{</span> <span class="kd">static</span> <span class="k">let</span> <span class="nv">shared</span> <span class="o">=</span> <span class="kt">APIManager</span><span class="p">()</span> <span class="kd">private(set)</span> <span class="k">var</span> <span class="nv">apiKey</span><span class="p">:</span> <span class="kt">String</span><span class="p">?</span> <span class="nf">init</span><span class="p">()</span> <span class="p">{</span> <span class="nf">decodeAPIKey</span><span class="p">()</span> <span class="p">}</span> <span class="kd">private</span> <span class="kd">func</span> <span class="nf">decodeAPIKey</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">obfuscatedBytes</span> <span class="o">=</span> <span class="p">[</span><span class="kt">UInt8</span><span class="p">](</span><span class="kt">APIKeys</span><span class="o">.</span><span class="n">obfuscatedKey</span><span class="o">.</span><span class="n">utf8</span><span class="p">)</span> <span class="k">let</span> <span class="nv">decodedBytes</span> <span class="o">=</span> <span class="nf">zip</span><span class="p">(</span><span class="n">obfuscatedBytes</span><span class="p">,</span> <span class="kt">APIKeys</span><span class="o">.</span><span class="n">salt</span><span class="p">)</span><span class="o">.</span><span class="n">map</span> <span class="p">{</span> <span class="nv">$0</span> <span class="o">^</span> <span class="nv">$1</span> <span class="p">}</span> <span class="n">apiKey</span> <span class="o">=</span> <span class="kt">String</span><span class="p">(</span><span class="nv">bytes</span><span class="p">:</span> <span class="n">decodedBytes</span><span class="p">,</span> <span class="nv">encoding</span><span class="p">:</span> <span class="o">.</span><span class="n">utf8</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Rest of your API Manager code</span> <span class="p">}</span> <span class="c1">// Access the key in your SwiftUI Views or elsewhere</span> <span class="k">let</span> <span class="nv">apiManager</span> <span class="o">=</span> <span class="kt">APIManager</span><span class="o">.</span><span class="n">shared</span> <span class="nf">print</span><span class="p">(</span><span class="n">apiManager</span><span class="o">.</span><span class="n">apiKey</span> <span class="p">??</span> <span class="s">"No API Key found"</span><span class="p">)</span> </code></pre> </div> <p>In this example, we've created an <code>APIManager</code> class that is responsible for decoding and providing the API key. It zips the obfuscated key bytes with the salt bytes and uses bitwise XOR to retrieve the original key's bytes, then converts it back to a string.</p> <h2> Final Thoughts </h2> <p>While there is no perfect method to secure API keys absolutely, combining several of these methods can strengthen your app’s defense against key theft.</p> <ul> <li> <strong>Obfuscation Techniques</strong>: At a minimum, implement key obfuscation to frustrate casual inspection of the binary.</li> <li> <strong>CloudKit Distribution</strong>: For a more secure approach, distribute the key to users via CloudKit, removing the key from the source code entirely and relying on secure communication between the device and Apple’s servers.</li> </ul> <p>Through these methods, we enhance our resilience against the theft and misuse of sensitive API keys in our SwiftUI applications. Remember to keep monitoring for any unusual activity in your API usage, and combine these strategies with API usage limits to give you more control and minimize potential damage.</p> ios swift security beginners