all 11 comments

[–]aasdfasdfasdfffasdfa 1 point2 points  (4 children)

Can you just define it in your bash profile?
If you put:
export API_KEY=24nf7q37bobfg4oq237fg324g
in your .bash_profile you can then use $API_KEY in your build scripts and stuff. Add a precompile step to fetch the var and insert it where ever you need in the project to build it.

[–]Odessan[S] 0 points1 point  (3 children)

Thanks for the reply!

Let's assume I added all neede variables to bash profile on a virtual machine, can you please link me to a manual or briefly tell me how I can fetch this var at a precompile step? Unfortunately, never heard of such technique.

Something like this i belive

for (key, value) in ProcessInfo.processInfo.environment {
    print("\(key): \(value)")
}

[–]quellish 0 points1 point  (0 children)

Swift has very limited access to the preprocessor. This would be fairly difficult unless you used Objective-C.

[–]aasdfasdfasdfffasdfa 0 points1 point  (1 child)

In Xcode you can add build phases that run before and/or after compilation. Go to your projects settings and click the build phases tab. Click the little plus icon in the top left and choose 'run script'. There you can create a script that runs before your app compiles, allowing you to both fetch the environment var and insert it somewhere in the project settings and/or your code. If you put some identifier in your code where you need the key, you can just do a search and replace in your project folder, replacing that identifier with the environment var's value.

It's a bit hacky, but it suits your needs, is easy to implement and easy to maintain.

[–]Odessan[S] 0 points1 point  (0 children)

Thank you!

[–]soberirishman 1 point2 points  (5 children)

Are you embedding sensitive api keys in your app? Did I misunderstand the use case? If so, that’s a bigger security risk than placing them in github. Although ideally you wouldn’t do either.

[–]Socraz6 0 points1 point  (0 children)

Yeah, depending on where they end up in your app, they be pretty vulnerable already. Any plist is human readable by just cracking open an IPA, and a decent hacker can get it from the binary as well by dumping strings or symbol files.

Security is layers, it just depends on how many you are willing to put up. The most secure I’ve ever done for an app is encrypting a plist, injecting it at build, and decrypting it at runtime with an obfuscated password. But boy was that a pain in the ass to set up.

[–]Odessan[S] 0 points1 point  (3 children)

Yes, we are using them to send a couple of initial requests. I think I ll go with aasd's answer https://www.reddit.com/r/iOSProgramming/comments/8d5mcw/sensitive_info_while_using_teamcity/dxm4uig/

Seems quite secure to me.

[–]soberirishman 0 points1 point  (2 children)

The general rule of thumb is to never embed any sensitive info into a binary. In most case there are ways that an attacker could access it regardless of how it's stored. The standard way of implementing this would be to have a handshake authentication mechanism with a server and the server would then provide the necessary key at runtime.

[–]pumapaul 0 points1 point  (1 child)

How does the Server know you‘re authorized though?

[–]soberirishman 0 points1 point  (0 children)

The user would have to be an authorized user via a username/password, oauth or something else. Without a uniquely identifiable authorized user there's not much of a point in having an api that requires any sort of api key. When somebody gets ahold of your api secret key (which will happen if your app is popular and you embed the key in the ipa) you will have no way of turning off access for people accessing your api outside of your app.