Securing sensitive data using Cocoapods-Keys
It is necessary for every developer to take care of code security, data storage security & data communication security.
This article explains how to secure critical/ sensitive information.
Q: What type of data do we need to secure ?
- API Keys, Third party tokens, any secrets that’s considered critical for the project.
Q: Why do we need to secure it ?
- To assure your project is safe from security challenges such as Data Leaks, Man in the middle attack or any potential threat that can be imposed to your project or your organisation by accessing these information.
- This article here explains the potential risks that you impose by saving sensitive information to your codebase.
Steps:
- Install cocoapods-keys
$ gem install cocoapods-keys2. Update your podfile with plugin
plugin 'cocoapods-keys', {
:project => "NameOfYourProject",
:target => "IfYouHaveMultipleTargets",
:keys => [
"tokenOne",
"tokenTwo"
]
}
}https://raw.githubusercontent.com/artsy/eidolon/0a9f5947914eb637fd4abf364fa3532b56da3c52/Podfile
3. Run pod install
Input for tokenOne & tokenTwo can be provided in two ways
- Manually inputing in terminal, follow this article here
- creating an .env file to manage all your keys
4. Creating .env file
Again two ways to do this
- By using vim, follow this link here to create an empty .env file
- By using your favourite text editor, create a file and rename it as .env file placed under /pods directory (It’s required to exlude .env file from your .git repo)
Your .env would look like this (the key names should match the one provided in your podfile);
tokenOne = “absajdsdsanada==”
tokenTwo = “adkam==12312312”- If your pods folder is not excluded in .git ensure to exclude your .env by adding it to the .gitignore.
The generated Objective-C classes are stored in the
Pods/CocoaPodsKeysdirectory, so if you're checking in your Pods folder, just addPods/CocoaPodsKeysto your.gitignorefile. CocoaPods-Keys supports integration in Swift or Objective-C projects.
5. Using the generated class in your project
- Validate the files are generated under /Pods/DevelopmentPods
public class Token {/// Returns actual token from keychain API
/// - Parameter environment: Eniveronment manager to distinguish based on schema
/// - Returns: Token saved in .env file or inputted in terminal
func fetchToken(environment:ManagerEnvironment) -> String {//`NameOfYourProjectKeys`generated by cocoapods-keys
let keys = NameOfYourProjectKeys()switch environment {
case .someEnv:
return tokenOne
default:
return tokenTwo
}}}
6. Changing or removing a token
To remove a token
$ pod keys rm tokenOneTo change generated class or renaming it
- Locate the generated YAML file for your project (you can find it in this folder
~/.cocoapods/keys) - Remove it & execute pod install again, reference here
7. CI Support
- Bitrise provides integration to it’s workflow
- Follow this article here to support it.
- Bitrise configuration overview & yml for bitrise.
- UI Test configuration support
- Fastlane action
That’s it :)
Credits:
Reference:
