Developers often believe that mobile applications provide a secure way to store sensitive information. They may think that the compiled code is unreadable and free from hard-coded values. However, an experienced and motivated hacker can effortlessly extract these keys and even automate the process of extracting hard-coded values.

Remember this: never store or hard-code sensitive keys inside your app.
It's a critical measure to safeguard your app and protect user data from potential threats.

Relying on compiled mobile applications for secure storage is a pressing concern. According to this article, a mere 0.5% of mobile applications harbor AWS API keys, exposing over 100 million users. However, the actual percentage is probably much higher, considering this statistic only accounts for AWS API keys. Numerous other critical keys should never be directly stored in code, and innumerable articles detail such vulnerabilities.
Additionally, there are CWE issues that delve into this very subject.

Beware of the Risks!

Hard-coded, sensitive data in application binary can always leak and could be used to harm your business. API keys may provide access to third-party services like AWS storage, SMS gateway, payments API, or analytics. While analytics keys don't lead to much risk, leaking any other keys may lead to severe consequences.
Let's see some examples.

1. API keys for accessing free public data
   Rest assured, these scenarios have no tangible risk as API requests are free, and the stored data is public. Any potential attacker can easily create their own key, making it unlikely for them to use yours.
2. API keys for accessing private data
   The most compelling example of the potential dangers is the hard coding of an AWS API key. If this key falls into the wrong hands, it could lead to a catastrophic data breach, resulting in severe financial penalties for violating GDPR and other data protection laws. Recent cases have seen companies hit with massive fines, with the highest reaching a staggering €50m. The internet is full of articles detailing the risks of AWS API key leaks, so staying informed is crucial.
   You can read more about it here.
3. API keys for accessing SMS gateways
   Imagine a scenario where an attacker can exploit a hard-coded key to send unauthorized SMS and sign up for a spam service, leading to financial losses from your connected account. This could potentially result in a significant loss of funds within a short period.
4. API keys for accessing payment services
   Envision an application with a key that grants access to transfer money to and from a Bitcoin wallet. If this key falls into the wrong hands, all the funds in your account could be siphoned off or exploited for illicit activities like money laundering.

Alright. But where should I store my secret tokens?

Again, don't hardcode your tokens anywhere in your code.

When communicating with a sensitive external API, it's crucial to prioritize security. To achieve this, request the backend to create a dedicated, authenticated endpoint. By implementing proper security measures and using user tokens for authentication, you can ensure that only authorized individuals can access the API. This approach effectively safeguards against potential attacks and provides a secure channel for communication with the backend.

Getting these secrets out is pretty tough, isn't it?

It might seem like a daunting task, especially if the app utilizes paid solutions to obfuscate the code and encrypt every string within the app. However, despite all these, retrieving them in the end is still entirely feasible.

Picture this: an attacker effortlessly automating a search for secret keys within mobile apps. It's a frighteningly simple scenario, but it's a reality if your app lacks obfuscation. With just a pattern to look for, attackers can create scripts to scour your app's code and files for sensitive keywords like 'key' and 'secret.' This is just the tip of the iceberg. Sophisticated scripts can crack even the most well-protected secrets.

This is why it's crucial not to store keys that could leave you vulnerable. Protect your app and users – never underestimate the importance of safeguarding your secrets.

To truly grasp the concept that uncovering secrets isn't always as daunting as it seems, I highly recommend tackling the UnCrackable Mobile Apps challenges offered by OWASP.

The secret key is stored as a variable

Many developers store a secret key as a property.

private let confidentialKey = "confidential_key_value"

Storing a secret key in iOS may seem simple, but it can be easily extracted using powerful tools like Hopper Disassembler. It's crucial to consider more secure methods to protect sensitive information.

If you want to test it yourself, load your .ipa project file into Hopper and click the "Str" button in the left menu.

After that, you can search for the value of the provided key.

You'll find that discovering a stored secret is a breeze when it follows a distinct pattern. With the ability to search for strings containing that pattern, finding it is a piece of cake.

The secret key stored in an array of Ints

A practical method for safeguarding hard-coded strings involves encrypting and encoding them into an array of Ints. By employing this approach, the strings remain concealed within the Hopper's str section. Nevertheless, it's crucial to acknowledge that a determined individual could still access the properties of the containing class through dynamic analysis tools such as Frida.

So, if you use Frida, you'll find that the code for an Objective-C class will look similar to this:

var instance = ObjC.classes["ClassWithKeys"].alloc().init();
console.log("Class properties: " + instance["- _ivarDescription"]());

The initializer will return all the class properties and methods and print them to the console.

We can significantly strengthen security measures by storing these secrets in encrypted form and implementing a separate class for decryption.

Although the app will still require a memory location for the decrypted form, this approach will undoubtedly raise the bar for those attempting to access its secrets.

At the end of the day...

Securing your binary file against potential leaks of hard-coded keys can be a daunting challenge, but even with advanced encryption and obfuscations, determined attackers can find a way to extract them.

That's why the most effective approach to safeguarding secrets is to avoid storing them altogether :)

So, the only most secure option when interacting with a third-party API is to consider establishing a separate endpoint on your backend for communication.