iOS: Is there a safe way to include an API key in the code?

Question

Amazon has an AWS SDK for iOS, along with several sample apps. In their samples, they put the API credentials in a Constants.h file:

// Constants used to represent your AWS Credentials.
#define ACCESS_KEY_ID          @"CHANGE ME"
#define SECRET_KEY             @"CHANGE ME"

My concern is that these can be extracted by a determined hacker. Is there any way to securely include API keys in an app?

The one option I've seen is to include a server of my own as a go-between: the app talks to my server, my server talks to S3. I can see the value in doing this, but one is still presented with the problem: do I allow the app to make API calls on my server without any kind of authentication? Including my own API key in the app has the same problem as including AWS API keys.

Answer 1

There are a couple of credential management options to help you avoid embedding credentials in your app. The first is Web Identity Federation, which allows users to log in to your app with Facebook, Google, or Login With Amazon. Another option is to use a Token Vending Machine, which is a server component that distributes temporary credentials to your app.

There is a high-level overview with pointers to the relevant documentation and code samples on the AWS Mobile Development Blog: http://mobile.awsblog.com/post/Tx3UKF4SV4V0LV3/Announcing-Web-Identity-Federation

Answer 2

You'll probably want to create temporary write credentials using AWS STS tokens instead of passing keys all the way to the client. You can also create OAIs for CloudFront endpoints so no users directly access S3.

http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html