iOS: Is there a safe way to include an API key in the code?

Question

Amazon has an AWS SDK for iOS, along with several sample apps. In their samples, they put the API credentials in a Constants.h file:

// Constant         


        

Answer 1

Probably you colud store them in an encoded form and encode them as needed.

Answer 2

There are a couple of credential management options to help you avoid embedding credentials in your app. The first is Web Identity Federation, which allows users to log in to your app with Facebook, Google, or Login With Amazon. Another option is to use a Token Vending Machine, which is a server component that distributes temporary credentials to your app.

There is a high-level overview with pointers to the relevant documentation and code samples on the AWS Mobile Development Blog: http://mobile.awsblog.com/post/Tx3UKF4SV4V0LV3/Announcing-Web-Identity-Federation

Answer 3

Did you try a KeychainItemWrapper ?

KeychainItemWrapper *keychain = 
 [[KeychainItemWrapper alloc] initWithIdentifier:@"TestAppLoginData" accessGroup:nil];

to Set

[keychain setObject:@"some text" forKey:(id)kSecAttrAccount];
[keychain setObject:@"some pass" forKey:(id)kSecValueData];

to Get

NSString *text = [keychain objectForKey:(id)kSecAttrAccount];
NSString *pass = [keychain objectForKey:(id)kSecValueData];

Keychain Services Programming Guide

Before import Security.framwork

I didn't check this code, if something doesn't work, let me know

Answer 4

You'll probably want to create temporary write credentials using AWS STS tokens instead of passing keys all the way to the client. You can also create OAIs for CloudFront endpoints so no users directly access S3.

http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html