Is it bad practice to include sensitive information in iOS source code comments?

Question

Forgive me, I thought this should be an easy question to Google, but it's turned out to be surprisingly difficult.

I am working on obfuscating secret keys in my iOS application. I'd like to add a comment above the obfuscated value that adds clarity to a developer reading the source. But, I don't want this comment to essentially "un-do" the obfuscation.

So, the question ultimately is, are comments stripped from the release build? Are they readable by tools that can inspect source?

So, looking for general security practices in terms of comments on iOS.

Answer 1

Comments are only included in the source code. The are absolutely stripped from ANY build, release or debug.

If you are looking to provide a framework to other developers, and want to hide certain things like API keys from consumers of your framework then you should look at the comments you provide in your framework, but that is not relevant to app builds that users run. There is no trace of source code or comments in those.

(Also see Rob's answer about thinks like API secrets and keys.)