How to securely include secret key/signature in iOS/Cocoa apps

ios secure enclave api
secure enclave android
store api key in ios app
the signature does not include a secure timestamp
notarization apple
apple notarization catalina
secure enclave hacked

I want to include a secret key into an iOS app so that the app can "prove" to a certain server that a request is coming from the app itself and not some other system. I know that simply hardcoding a secret key into the code itself is very vulnerable as anyone can jailbreak their phone and attach GDB to my app's process to get the key. Are there any more secure ways of doing this? Is it possible of sufficiently obfuscate the key as to make this near impossible?

I believe that this is a similar problem to serial number validation. Unfortunately, that seems to get cracked regularly and easily. Are there any solutions to this?

All communication with my server will be done with HTTPS so at least sniffing/man in the middle attacks shouldn't be a concern.

Thanks, M

I'm afraid it's not possible to do that. But as far as I know apple will make sure no other app is spoofing your app's secret. If it's a jailbroken phone, then the user is in a way taking full responsibility, and possible damage should be limited only to the jailbroken phone user's data.

Storing Keys in the Secure Enclave, Keeping a private key in a keychain is a great way to secure it. The key data is encrypted on disk and accessible only to your app or the apps you authorize. Only iOS devices with one of these processors or a MacBook Pro with the Touch Bar and verifying cryptographic signatures, or for elliptic curve Diffie-Hellman key  Often when writing iOS apps, we need to store secret keys for accessing APIs and the like, so that your backend can verify that requests are actually coming from your app. And usually, it’s worth keeping these keys secret from most prying eyes, which is what this article is about.

Notarizing macOS Software Before Distribution, Notarization also protects your users if your Developer ID signing key is exposed. The notary Include a secure timestamp with your code-signing signature. How to securely include secret key/signature in iOS/Cocoa apps Tags ajax android angular api button c++ class database date dynamic exception file function html http image input java javascript jquery json laravel list mysql object oop ph php phplaravel phpmysql phpphp post python sed select spring sql string text time url view windows wordpress xml

Since the attacker would be in complete control of the client, the only method would be security through obscurity. You can implement a challenge/response model, but you must make it impervious to many other factors (replay attacks, etc).

This question contains one approach to hide a secret key in binary code.

Don't assume that by simply using https you can't have packet sniffing. What if the attacker changed their URLs inside your executable to point to their server? Then they can act as a relay.

A better way would be to provide some identity management inside the app (user picks a username, password is user/machine generated), and use those credentials for your service calls.

Cryptography In IOS (III): Sharing public keys between iOS and the , Cocoa has a great set of libraries, and Swift, even though not perfect, is a lovely language and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations This is essential if you want to integrate an iOS app in an Asymmetric  I want to include a secret key into an iOS app so that the app can "prove" to a certain server that a request is coming from the app itself and not some other system. I know that simply hardcoding a secret key into the code itself is very vulnerable as anyone can jailbreak their phone and attach GDB to my app's process to get the key.

I agree with @Nubis that there is no 100% bulletproof way to do it.

However, this library seems like a pragmatic solution to the problem:

It probably won't save you from a highly motivated attacker, but it won't make their life easy.

Managing secrets within an iOS app, Almost all iOS apps have API keys and other secrets, but simple Simple approaches for including secrets into an app would include: putting values can be used to manage your app secrets securely is cocoapods-keys. Questions: Want to know if there is a way to use some view controllers within a view controller which provides the same functionality as fragments in android ? I want to use custom so do not want to use TabViewController,SplitViewController etc. Answers: Container View Controllers allow to include child view controller inside another view controller.

As an update to @natbro's answer, a great solution is now to use CloudKit. With this method you'd create a record in the public database and each instance of the app would grab it on start up. Since CloudKit is based on iCloud login, it has most, if not all, of the same safeguards that an app-specific iCloud ubiquity-container would have. There are two main differences:

  1. CloudKit is more deterministic when it comes to retrieving data. You know secrets/keys will be available when you fetch them from CloudKit.

  2. Data from CloudKit isn't synced to the device or cached in the app's container, it's retrieved on-demand and any caching is up to you, the developer (note: I'd suggest caching the keys in the Keychain).

Here's a quick snippet for retrieving a record from CloudKit.

import CloudKit


let publicCloudKitDatabase = CKContainer.default().publicCloudDatabase
let recordID = CKRecord.ID(recordName: "default") // or whatever you name it

publicCloudKitDatabase.fetch(withRecordID: recordID) { (record, error) in
    if let secretRecord = record {
        guard let secret = secretRecord["aKey"] as? String else {
            print("Unable to get secret")

        self.secret = secret // or somesuch

Notes: You'll need to set up CloudKit as specified in the docs and then create a record that matches what your app is expecting or vice versa (in this case a record with recordName = "default" which contains a field with the key "aKey").

EllipticCurveKeyPair on, Show Apps using EllipticCurveKeyPair Sign, verify, encrypt and decrypt using the Secure Enclave on iOS and MacOS. create a private public keypair; store the private key on the secure enclave; store the public key in key – only accessible with touch id / device pin; Verify that the signature is valid using the public key. One way to do it is to set up a server with SSL support, then on first launch hit the server to download the credentials you need (say, as JSON or binary file) for the app to continue operating. Then parse and store the keys in the iOS secure keychain. This way the actual credentials are not embedded in your code binary.

[PDF] iOS Application Security, Summary. 31. 3. Defense: Developing Secure iOS Applications It discusses the security of Objective-C and Cocoa Touch as well as the signature includes information that can be used to determine who signed the code with the private key that corresponds to the certificate in the computer's Keychain. To get an API key, see the Premium Plan: Get API Keys . Use the left navigation bar to select the desired API or SDK. Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies

PowerAuth SDK for iOS · wultra/powerauth-mobile-sdk Wiki · GitHub, layout: page title: PowerAuth Mobile SDK for iOS Apps Post-Installation steps. Disabling bitcode; Include PowerAuth SDK in your sources CocoaPods is a dependency manager for Cocoa projects. You can Asymmetric Private Key Signature uses a private key stored in the PowerAuth 2.0 secure vault. Android: Secret Server Password Manager App. Keep private information well-organized and secure. Easily create, view, and edit passwords for multiple accounts. Access passwords from your Android phone and computer. Enjoy using features that display well and load fast. Create ‘favorites’. Count on extreme security for your passwords:

iOS Security Tutorial, For this tutorial, the private key to be used for digital signature is to be iOS's secure enclave supports 256-bit elliptic curve keys (ECC) only. First thing is to assemble the private key parameters dictionary (which will include the How to apply Asymmetric Encryption in iOS apps using Swift Security APIs. Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

  • +1 for "there is no way to secure such a thing." If you put the "secret" into the app, then it's no secret. It's like a dog covering up a bone. A little digging will find it ... especially where the grass looks funny.
  • Sorry, I meant 'schema' not 'secret', small lapsus. Apparently the OP understood anyways :)
  • This is very helpful, natbro! Are there any updates for iOS 7?
  • I haven't found any additional avenues to do this simply in iOS7 (but haven't looked deeply). I did find that using iCloud to distribute this kind of data can be quite awkward on first-run, due to iCloud flakiness. Once you get the value, it's a great solution, but you can't be sure how soon it will get to the device. Really wish Apple would add something to support this.
  • what's the approach to storing private key into the iCloud container?
  • It might also be worth considering delivering the shared secret via initial silent push notification (ios 8+). Obviously, if the user disables notifications for the app you are out of luck. WWDC 2014 session: 713 discusses the topic more. I believe silent notifications are accepted by default, but the user can disable notifications in the settings app by disabling Background App Refresh. More here: Obviously would need to ensure delivery some how and provide appropriate visual messaging if the secret data has not arrived yet.
  • The client_secret is used to authenticate the client to the server. So, what's to stop a malicious client from requesting the key from the server?