Hi everyone,
I’m looking for clarification on best practices for storing API keys in an iOS app — for example, keys used with RevenueCat, PostHog, AWS Rekognition, barcode scanners, and similar third-party services.
I understand that hard-coding API keys directly in the app’s source code is a bad idea, since they can be extracted from the binary. However, using a .plist file doesn’t seem secure either, as it’s still bundled with the app and can be inspected.
I’m wondering:
What are Apple’s recommended approaches for managing these kinds of keys?
Does Xcode Cloud offer a built-in or best-practice method for securely injecting environment variables or secrets at build time?
Would using an external service like AWS Secrets Manager or another server-side solution make sense for this use case?
Any insights or examples of how others are handling this securely within Apple’s ecosystem would be greatly appreciated.
Thanks for considering my questions!
— Paul
Apple doesn’t have any official guidance
Apple doesn’t have any official guidance here.
What you’re building here is a DRM system. You want to give the user something but limit how they use it. DRM systems are tricky, and not something that DTS supports in general [1].
Does Xcode Cloud offer … securely injecting environment variables or secrets at build time?
I don’t know, but it’s orthogonal to this question. The resulting secret will still end up baked into your app, which is what you’re trying to avoid.
As you explore solutions, I encourage you consider your threat model. Who is trying to extract these secrets? What do they gain? And what do you lose?
You can then scale your effort based on that threat model. So, for example, if the negative consequences are small, you might choose to use a very simple scrambling technique. You can find my take on that in this post.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] We do support Apple DRMs systems, including App Attest and FairPlay.