Sensitive information in source code - API Key - Swift

Sensitive information in source code - API Key - Swift

Need

Secure storage and retrieval of sensitive information, such as API keys, in the source code.

Context

  • Usage of Swift programming language for iOS and macOS app development
  • Usage of UIKit for building modern and responsive user interfaces

Description

Non compliant code

        import UIKit

class ViewController: UIViewController {

    let apiKey = "1234567890abcdef"

    override func viewDidLoad() {
        super.viewDidLoad()
        // Do any additional setup after loading the view.
    }
}
        
        

In this Swift code snippet for an iOS application, an API key is stored directly in the source code. This key is represented as a string variable apiKey in the ViewController class.

This presents a security vulnerability as the API key is in plain text and can be easily accessed if the source code is exposed. API keys are sensitive information and should not be stored directly in the source code.

Storing sensitive information in the source code can lead to a variety of security risks, including unauthorized access to your services, data breaches, and potential financial loss if the API key is used for billing purposes.

The key should be stored in a secure location, such as environment variables or secure key storage, and accessed through secure means.

Steps

  • Remove the API key from the source code.
  • Store the API key securely in a separate configuration file or environment variable.
  • Ensure that the configuration file or environment variable is not accessible to unauthorized users.
  • Update the code to retrieve the API key from the secure configuration file or environment variable at runtime.
  • Implement proper access controls and authentication mechanisms to protect the API key.
  • Regularly monitor and update the API key to prevent unauthorized access.

Compliant code

        import UIKit

class ViewController: UIViewController {

    var apiKey: String?

    override func viewDidLoad() {
        super.viewDidLoad()
        // Do any additional setup after loading the view.
        loadAPIKey()
    }

    func loadAPIKey() {
        if let filePath = Bundle.main.path(forResource: "Config", ofType: "plist") {
            let plist = NSDictionary(contentsOfFile: filePath)
            apiKey = plist?.object(forKey: "API_KEY") as? String
        }
    }
}
        
        

The above code removes the hard-coded API key from the source code and instead loads it from a secure configuration file at runtime.

The loadAPIKey function is called in the viewDidLoad method. This function retrieves the API key from a property list file (plist) named "Config". The plist file is a type of file used by iOS applications to store configuration data.

The API key is stored under the key "API_KEY" in the plist file. The object(forKey:) method is used to retrieve the value of the API key.

This approach ensures that the API key is not exposed in the source code and is loaded securely at runtime.

Please note that the plist file should be securely stored and not included in the source code repository to prevent unauthorized access.

Also, it's important to implement proper access controls and authentication mechanisms to protect the API key. Regularly monitor and update the API key to prevent unauthorized access.

This approach significantly reduces the risk of the API key being exposed and misused.

References