Storing API and App secrets within enterprise iOS app

Question

I have a requirement to remove all API keys and app secrets from the source code of the app we are building. Ideally the keys and app secrets should be sent to the app out of band as a configuration file, through an MDM solution.

Is this possible, and if so how? If not, what is the recommended approach to store this kind of information, such that it cannot be viewed in the source or extracted from the binary?

EDIT: Update

It is possible to send NSUserDefaults to the app via the MDM solution using Managed App Configuration. However, NSUserDefaults is not secure, easily viewed and modified by a casual user.

My plan is to encrypt the NSUserDefaults to prevent this using the common crypto library included in iOS. Is this the best approach to this problem? Should I also be sending a certificate as part of the MDM config?

Any thoughts, comments, and recommendations appreciated before I go too far down this route.

Answer 1

I know it's been a while, but I recently looked into this (not for an MDM application). I don't have any experience with MDM and that may have another solution. The route I chose to go was using CloudKit. It's a 1st party solution, always available whether the user is logged in to iCloud or not and you communicate securely with Apple's servers and only your App can access these keys. Also depending how you set it up you can easily rotate out keys. See more info here