When working on mobile apps, we interact with APIs all the time. In order to connect to these APIs, we use API keys. These API keys are very important, as they map/identify us as a unique user of the system we are trying to integrate with. We always need to make sure these API keys are not accessed by unintended users. Rate limiting, quota control, and security are some of the reasons why API providers have API keys.
One of the good security practices is not to save secrets and API keys as part of your source code. But if we don’t put them in the source code, how will our code know about them and consume them? Well, the answer to the problem is using a security tool called a “vault.” There are various vault options to store secrets. We will talk about the Hashi Corp Vault System. In this article, I will walk you through how to integrate a vault with an iOS app.
Prerequisites
- Set up your vault by following these instructions.
- Make sure you have written the secrets that your iOS application will use.
Integrate With iOS App
A vault can be used to read and write app secrets like API keys. Let’s dive into details about how we will actually integrate a vault with our iOS app.
Authenticate to vault
In order to talk to our vault, we need to authenticate ourselves first. We will use one of the authentication methods that we support in our vault implementation. This will depend on what you chose in the prerequisites. Once you authenticate, you get a token that will be used to read your secrets.
Pre-build script
Add a prebuilt script in Xcode. This will pull the secret from the vault before building your app code. We will use the token retrieved in the previous step to authenticate. Say you wrote a secret on the/v1/secret/foopath of your vault server. You would read it via API call, as shown below:
curl -H "X-Vault-Token: {token}" -X GET http://{yourserver}/v1/secret/foo
And you’d get a JSON response with secrets stored in that path. For example:
{
"tool1Apikey": "tool1ApiKey",
"tool2Apikey": "tool2ApiKey"
"tool3Apikey": "tool3ApiKey"
}
Save the JSON output as a file and name it whatever you want. For example, I am going to name it secretData.json. This file will be part of the project directory so that it can be referred locally from our application code.
Reading the SecretData JSON
Third-party libraries usually require initialization right away while our application loads. And to initialize them properly, we need API keys. So we will have to read this secret file as the first thing in our AppDelegate. We can easily confine this entire responsibility by making a singleton class (e.g. VaultManager) that will read the secretData JSON and expose those values with handy getters that we can use in our app. The code for VaultManager.swift would look something like this:
In the code snippet above, the singleton VaultManager will take care of reading the secret and make it available to be used anywhere you need in the app.
Access the read secret
The vault manager in the snippet above exposes a method call:
func getSecretKey(withKeyName:SecretKey) ->String?
#security #ios #swift #programming #mobile
