Storing API keys in the cloud for an iOS app

Question

I am trying to find a way to store API keys for 3rd party services in the cloud (for example say I want to connect to twitter, i would need api key and secret to make oauth requests)

I specifically am looking for a way to store it in the cloud and somehow making use of it on demand (I don't want to embed it in the app itself). I don't want the api key and secret to be easily accessible but still want users to be able to make 3rd party api requests.

I'm not a security expert so just off the top of my head I had the following idea:

1. Store the api key and secret on my server (For example store twitter api key/secret)
2. Whenever user wants to make request to the 3rd party service, the iOS app makes a request to my server for the app key/secret pair
3. When the iOS client receives the key/secret, it starts oauth authentication process using the app key/secret it just received from my server (plus the user credentials)

Is this safe enough as long as I send/receive the key/secret values over https? Or do i need to encrypt them further? And would even that be enough?

Answer 1

I would not recommend you returning client credentials (API key and secret) for a 3rd party service to your client. You cannot keep these things secret on a public client like an iOS app.

A better way is to have your server make the call to the 3rd party API and proxy the results back to your app. That way, the API key and secret can be stored safely on your server and if the 3rd party API ever changes, you only have to update your server code, and not all your iOS apps.