What's the best/simplest way to protect API keys in Xcode?

Question

I am working on a simple iOS app in Swift that uses an API that I pay for. I do not have a ton of resources and have yet to find a simple/up to date solution to this issue. I want to protect my API key and not put the key directly in my code where I make requests (I have heard this is best practice). What would be the simplest way to protect my API key from someone taking apart my code and using it.

I've heard something about using Keychain but I'm unsure if this is the best route.

class APIService {

    static let shared = APIService()
    private let token = "(my token goes here)"

    //...various API request functions
}

Answer 1

There is no easy way, nor is there a way to completely protect them from attackers. You can always do some simple key obfuscation or store them in a server but if a hacker can reverse-engineer your code they can likely reverse-engineer your obfuscation.

It'd be good to develop safety measures to take if someone does get your keys (database backups, etc.. ).

This link helped me when I was originally looking into this topic for one of my apps.

Answer 2

1. NSUserDefaults: NSUserDefaults is simple and effective for saving small datas like NSNumbers or NSStrings, or even saving remember me option for saving ur state of UserName. NSUserDefaults is no way stored securely as it's easily gets Hacked.
2. KeyChain: Best place to save tokens, api keys. Find the below apple documentation which describes more,

**“An encrypted container that securely stores small chunks of data on behalf of apps and secure services.” "Simply a database stored in the file system.”**

KeyChain Documentation

And here is the example of Swift Version with simple way to store and retrieve data using KeyChain

https://stackoverflow.com/a/37539998/1244403