iPhone application and security?

How do you secured a key into your iPhone application?

I have an API key 开发者_StackOverflow社区that is used by the client application, and do not want anyone to see it, only the application should be able to read it.

1) how do I safely store this in my application? storing it into a variable? is good enough?

2) What happens if someone decrypts my application? (Is that possible?)

There's a lot of questions here so let me answer one at a time:

How do you secured a key into your iPhone application?

I assume that you are trying to secure it from the user of your application. This is impossible unless you are using a trusted computing platform, ie. a platform that can be trusted to not obey orders from its owner (sometimes called treacherous computing for that reason). iPhone is not such a platform to my knowledge.

I have an API key that is used by the client application, and do not want anyone to see it, only the application should be able to read it.

If your application can read it then the owner of the platform that your application runs on can read it as well. (The exception would be a trusted computing platform - see above.)

how do I safely store this in my application?

You can't.

storing it into a variable?

You might.

is good enough?

No.

What happens if someone decrypts my application?

Then he gets your key.

Is that possible?

Yes.

If you don't want your users to know your key then don't give it to them in the first place. Set up a proxy server that your application would connect to and keep your secrets there.

There's an old saying that every secret has to be treated like a public knowledge unless it's known by no more than two people. This applies to software too.

Consider storing the key in the iPhone's keychain repository. Take a look at the Apple provided keychain sample app here:

http://developer.apple.com/library/ios/#samplecode/GenericKeychain/Introduction/Intro.html

Hope this helped. Good Luck.

I agree with Greg Thompson, Apple recommends the use of the keychain to store secure data such as credentials.

By the other hand there is a couple of articles around the web that says that the keychain is no longer "the safer zone", because some people were able to decode its data (and pretty quick).

With iOs 4.0 and later, some improvements about security where made, that is called Data Protection (you can google it like: iOs data protection).. if you are interested in this topic, you'll find the Session 209 - Securing Application Data from WWDC 2010 Session Videos very interesting ... You can get this video for free via iTunes store - iTunes U

Hope this helps