- Home
- /
- Case Study: Securing API...
Securing Ele
Overcoming API Key Exposure in iOS Mobile Applications
Ele, a mobile application for iOS, faced a series of challenges related to the compromise of its API keys. These keys are crucial for accessing various services and data, and their exposure poses significant security risks.
This case study outlines the problem statements faced by Ele and the solutions implemented to mitigate these risks.
Problem Statement
Ele’s iOS app faced serious security risks due to compromised API keys, caused by inadequate protection and poor practices like embedding keys in code and weak encryption. These issues highlight the critical need for improved security measures in managing sensitive data.
- Direct API Key Exposure Risks: Shifting APIKey to Firebase Remote Config.
- API Key Migrations: Shifting APIKey to Firebase Remote Config
Securing API Keys
Solution Overview
To address the security concerns, following method iterations were employed
Moving APIKey from Codebase to Remote Config
Moved the APIKey to Firebase Remote Config, but the APIConfig is also susceptible to data compromise.
Added Firebase cloud function to shift OpenAI api call from code base to firebase cloud function (Intermediate server)
Even though shifting to firebase cloud function was a right approach, but APIKey was still in Remote Config leading to third incident of APIKey compromise.
Moved APIKey to Google Secret Manager
After this approach, APIKey was completely secure as Firebase Cloud Function was the only component to have access to APIKey now.
Several other security measures are also employed to make Firebase Cloud Function api call secure
- Auth check for user making api call on both the apps
- Added limit for number of api calls per user per day to 20 in PlantAI app
- Added auth key verification on every api call which is first saved on firebase from app, then verified on cloud function for the same user on Ele App
Scalable Security Solution
Impact Assessment
Discover how relocating API keys to Google Secret Manager and integrating Firebase Cloud Functions has fortified security and scalability for Ele’s iOS app, enhancing protection against key compromises and ensuring robust future growth.
Enhanced Security
The implementation of these security measures significantly enhanced the security posture of Ele’s iOS application. By moving the API keys to Google Secret Manager and using Firebase Cloud Functions for API calls, the risk of key compromise is reduced.
Scalability
The solution provided a scalable architecture that could be easily adapted to accommodate future growth and changes in the application’s requirements.
Conclusion
Best Practices for API Key Protection
The case study of Ele’s iOS application demonstrates the importance of adopting a multi-layered security approach to protect sensitive information, such as API keys. By implementing Firebase Cloud Functions, and Google Secret Manager, API keys are now secure, and the risk of compromise is mitigated.
This case study serves as a valuable lesson for other developers on the importance of robust security practices and the value of leveraging cloud services for key management and access control.