How to Secure iOS App Secret Data With Vault

How to secure app secrets with Vault

Working on mobile apps, as developers, we interact with APIs all the time. In order to connect to these APIs, we use API keys. These API keys are very important as it maps/identifies us as a unique user of the system we are trying to integrate with. We always need to make sure these API keys are not accessed by unintended users. Rate limiting, quota control, and security are some of the reasons why API providers have API keys. 

One of the good security practices is not to save secrets and API keys as part of your source code. But if we don’t put them in the source code, how will our code know about them and consume it. Well, the answer to the problem is using a security tool called “Vault”. There are various vault options to store secrets, we will talk about the Hashi Corp Vault System. In this article, I will walk you through how to integrate vault with an iOS app. 

Prerequisites 

  1. Setting up Vault — Please set up your vault following the instructions mentioned in the link.
  2. Write Secret — Please make sure you have written your secrets that your iOS application will use.

Integrate with iOS App

Vault can be used to read and write app secrets like API keys. Let's dive into details about how we will actually integrate vault with our iOS app. 

Authenticate to Vault 

In order to talk to our Vault, we need to authenticate ourselves first. We will use one of the authentication methods that we support in our vault implementation. This will depend on what you chose in the prerequisites. Once you authenticate you get a token that will be used to read your secrets.

Pre Build Script

Add a prebuilt script in Xcode, this will pull the secret from the vault before building your app code. We will use the token retrieved in the previous step to authenticate. Say you wrote a secret on this path /v1/secret/foo of your vault server. You would read it via api call as shown below:

curl -H "X-Vault-Token: {token}" -X GET http://{yourserver}/v1/secret/foo

And you get a JSON response with secrets stored in that path. For eg,

{   
"tool1Apikey": "tool1ApiKey",
"tool2Apikey": "tool2ApiKey"
"tool3Apikey": "tool3ApiKey"
}

Save the JSON output as a file and name it whatever you want. For example, I am going to name it as secretData.json. This file will be part of the project directory so that it can be referred locally from our application code.

Reading the SecretData JSON

Third-party libraries usually require initialization right away while our application loads. And to initialize them properly we need API keys. So we will have to read this secret file as the first thing in our AppDelegate. We can easily confine this entire responsibility by making a singleton class say VaultManager, which will read the secretData JSON and expose those values with handy getters that we can use in our app. Code for VaultManager.swift would look something like this.

import Foundation

enum SecretKey:String {

    case tool1Apikey = "tool1Apikey"

    case tool2Apikey = "tool2Apikey"

    case tool3Apikey = "tool3Apikey"

}

class VaultManager {

    static let sharedInstance = VaultManager()

    private var secretData:SecretResponse?

    private init(){

        readSecretFile()

    }

    

    private func readSecretFile() {

        if let url = Bundle.main.url(forResource: "secretData", withExtension: "json") {

            do {

                let data = try Data(contentsOf: url)

                let decoder = JSONDecoder()

                secretData = try decoder.decode(SecretResponse.self, from: data)

                print("success")

            } catch {

                print("error:\(error)")

            }

        }

    }

    

    func getSecretKey(withKeyName:SecretKey) ->String? {

        switch withKeyName {

        case .tool1Apikey:

            return secretData?.tool1Apikey

        case .tool2Apikey:

            return secretData?.tool2Apikey

        case .tool3Apikey:

            return secretData?.tool3Apikey

        }

    }

}


fileprivate struct SecretResponse:Codable {

    let tool1Apikey:String

    let tool2Apikey:String

    let tool3Apikey:String

}

In the code snippet above, singleton VaultManager will take care of reading the secret and made it available to be used anywhere you need in the app.

Access the read secret

The vault manager in the snippet above exposes a method call 

func getSecretKey(withKeyName:SecretKey) ->String?

So if we need to get the key anywhere in the app, all we have to do is call this method and pass the key name. For example:

let keyValue = VaultManager.sharedInstance.getSecretKey(withKeyName: .tool1Apikey)

This way we have totally decoupled the requirement of app secrets for eg API keys to be part of source code. 

Conclusion

As a good security practice, we shouldn’t ever store app secrets like API Key in the codebase. They should be packaged with the app dynamically. Vault acts as a great tool to secure your app secrets. Which Vault solution are you using? Let me know your experience in the comments below. 


Popular posts from this blog

How to make an iOS App Secure?

Image
This is mobile era and pretty much everything these days can happen from our smart phone. Thanks to millions of apps out there which help us in accomplishing anything we want. Whether it is maintaining your schedule (calendar) to managing financial information on the go, all things can be done by mobile apps running on our smart phones. Since these apps have access to so much of confidential information, as developer when we make an app we need to follow highest security standards so that information is not accessed by someone who is not entitled for it.  When it comes to iOS devices there are more than billion active devices that use iOS apps on daily basis.  Here I am compiling the different security practices that an iOS developer should always keep in mind while developing apps. 1. Enable ATS in mobile apps  With launch of iOS 9 and ELCapitan Apple launch ATS (Apple Transport Security) which forces apps to only connect to secure network. This means any connection that application m
Read more

System Design Interview For Mobile Engineers

Image
Introduction As you gain seniority in Software Engineering, the system design interview becomes the most important interview. This interview is focused on your ability as an engineer to look at and understand the design of an application from a holistic level. You are expected to start from a high-level view and then do a deep dive into individual components. In this article, I have shared my recipe to approach the system design interview problem by going through an example. Sounds interesting?... Keep reading I find the system design interview interesting because they are most realistic, holistic, and involve great communication skills.  Approaching a System Design Problem So I watched different kinds of system design interviews tutorials and made  my own custom script that made sense to me as a mobile developer. By no way or means, this is a comprehensive list, this is just something that has worked for me. So here is the rundown of different sections I used to tackle the system desi
Read more

How to make iOS app secure from screenshot and recording?

Image
  Thanks to the mobile era we have mobile apps for everything these days. Every business from a barbers shop to huge retailers has apps so that they can be closer to their customers. On one hand, we really leverage this convenience but on the other hand, there are risks of exposing a lot of confidential information while using these apps. And it becomes very vital when dealing with payments and other sensitive information. As a developer of these apps, it is our responsibility to put checks to make sure privacy and security are not compromised. One of the ways is to detect/prevent screenshot and screen recording action and taken an action or inform the user to take appropriate action.  Use Cases Here are some use cases where screen capture and screen recording can expose sensitive information: 1. Login information can be recorded Any app that requires a login to get access to sensitive information. We need to make sure that only the intended person can log in. If screen recording or sc
Read more