Securing sensitive data using Cocoapods-Keys

Rathish Kannan
2 min readFeb 18, 2021

--

It is necessary for every developer to take care of code security, data storage security & data communication security.

This article explains how to secure critical/ sensitive information.

Q: What type of data do we need to secure ?

  • API Keys, Third party tokens, any secrets that’s considered critical for the project.

Q: Why do we need to secure it ?

  • To assure your project is safe from security challenges such as Data Leaks, Man in the middle attack or any potential threat that can be imposed to your project or your organisation by accessing these information.
  • This article here explains the potential risks that you impose by saving sensitive information to your codebase.
Basic search for “token” or “secret” will give access to sensitive data if not obfuscated

Steps:

  1. Install cocoapods-keys
$ gem install cocoapods-keys

2. Update your podfile with plugin

plugin 'cocoapods-keys', {
:project => "NameOfYourProject",
:target => "IfYouHaveMultipleTargets",
:keys => [
"tokenOne",
"tokenTwo"
]
}
}

https://raw.githubusercontent.com/artsy/eidolon/0a9f5947914eb637fd4abf364fa3532b56da3c52/Podfile

3. Run pod install

Input for tokenOne & tokenTwo can be provided in two ways

  • Manually inputing in terminal, follow this article here
  • creating an .env file to manage all your keys

4. Creating .env file

Again two ways to do this

  • By using vim, follow this link here to create an empty .env file
  • By using your favourite text editor, create a file and rename it as .env file placed under /pods directory (It’s required to exlude .env file from your .git repo)

Your .env would look like this (the key names should match the one provided in your podfile);

tokenOne = “absajdsdsanada==”
tokenTwo = “adkam==12312312”
  • If your pods folder is not excluded in .git ensure to exclude your .env by adding it to the .gitignore.

The generated Objective-C classes are stored in the Pods/CocoaPodsKeysdirectory, so if you're checking in your Pods folder, just add Pods/CocoaPodsKeys to your .gitignore file. CocoaPods-Keys supports integration in Swift or Objective-C projects.

5. Using the generated class in your project

  • Validate the files are generated under /Pods/DevelopmentPods
public class Token {/// Returns actual token from keychain API
/// - Parameter environment: Eniveronment manager to distinguish based on schema
/// - Returns: Token saved in .env file or inputted in terminal
func fetchToken(environment:ManagerEnvironment) -> String {
//`NameOfYourProjectKeys`generated by cocoapods-keys
let keys = NameOfYourProjectKeys()
switch environment {
case .someEnv:
return tokenOne
default:
return tokenTwo
}}
}

6. Changing or removing a token

To remove a token

$ pod keys rm tokenOne

To change generated class or renaming it

  • Locate the generated YAML file for your project (you can find it in this folder ~/.cocoapods/keys)
  • Remove it & execute pod install again, reference here

7. CI Support

That’s it :)

Credits:

Reference:

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

No responses yet

Write a response