Reputation: 19869
Safe way to store secretAccessKey on iOS application
I am using amazon S3 to provide IAP content.
Is there a "Safe" way to store the secretAccessKey inside my app so hackers can't use it to get the files?
Upvotes: 2
Views: 224
Answers (2)
Reputation: 84124
The best way to do this is not to give out normal secret access keys at all.
First create an IAM user that has access to only what is needed, so that even if someone does get their hands on the credentials they can only access what you want them too (e.g. get files from a specific S3 bucket, but not modify them)
When the iOS app needs to access the S3 files it connects to a web server you control. That web server users STS to generate a set of credentials that will expire after the desired amount of time. These look like normal aws credentials (access key, secret, session id) but will eventually expire.
Amazon provide some reference implementations of these token vending machines and has an article discussing the setup in more detail.
Upvotes: 2
Reputation: 547
Did you look for appropriate method using Keychain framework? Keychain Services Tasks for iOS
Upvotes: 0
Related Questions
- Security Key store into constant file is secure or suggest any alternate solution?
- How to store critically sensitive information such as secret, key, token, encryptionKey in iOS application
- Xcode where to store 3rd party API secret / password / id
- Storing API keys in the cloud for an iOS app
- How to store sensitive data (e.g. passwords, API keys) in Cocoa app?
- Proper way to store username and password in iOS application
- iOS: Is there a safe way to include an API key in the code?
- What is a secure way to store and access private S3 objects from mobile applications?
- Best Place to Store Included AWS Credentials in an iOS Application
- Best practices for securing API credentials as part of an iPhone app