stackoom
  简体   繁体   中英

How to: securely store secret tokens when publishing iOS App (Nativescript)

 原文  2018-12-05 18:02:05       ios/ nativescript

Question

My Nativescript app has some secret api tokens. I want to publish the app to the iOS app store. What do I need to do to keep the tokens secret when I publish the app?

I see a discussion here about storing secrets using webpack environmental variables. I am new to webpack, but it seems like this is the best way to do it.

Following that discussion, I am able put my tokens into the webpack bundle (instead of hardcoding it), like this: 

$ tns run ios --bundle --env.uglify --env.aot --env.secret_token="yaySecret"

But does this keep "yaySecret" secret? I don't see this addressed anywhere in NS docs or online.

I assume this bundle command creates a bundle, and then this bundle becomes part of what Apple publishes. But then isn't Apple able to view "yaySecret"?

1 answers

solution1
 0 ACCPTED  2018-12-05 19:16:55

Uglify actually does the job here ( --env.uglify ).

--env.secret_token will be just a parameter that is passed to the compiler. It will replace the occurrence of the variable in source code with actual value based on your webpack define configuration.

You should have something similar to this in your webpack config 

 // Define useful constants like TNS_WEBPACK
 new webpack.DefinePlugin({
  "global.TNS_WEBPACK": "true",
  "global.SECRET_TOKEN": JSON.stringify(env.secret_token),
  "process": undefined,
 }),

So all occurrence of global.SECRET_TOKEN in your actual source code will be replaced by actual token you passed in command line.

So far it had nothing to do with security, reverse engineering the APK may show the entire source code and token value. Using minimizers like Uglify is what makes your code hard to read.

There are many other minimizers / obfuscators in market, javascript-obfuscator is one free tool I have seen people using with NativeScript often. All of these tools have tons of options, if you want to encrypt your code properly, you might need to pay more attention to those options.

There are even paid tools like jscrambler . Using Obfuscators are not limited to NativeScript / JavaScript, even many native android apps use Java Obfuscator to prevent extraction of source code & sensitive information from the APK. So using an Obfuscator is very much common irrespective of platform you choose.

Additionally what you could do is, do not simply hard code your token. You may pass some encrypted value to env.secret_token , then write some complex function which can take this encrypted value and give you the actual token at run time. End of the day it's all about making your code harder to break.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question nativescript iOS app publishing issue with cocoapods frameworks Publishing ios app on App store? Signing iOS application when publishing an update to an existing app on the app store How to store tokens in iOS? How to store data securely on iOS when background mode access is required? When using WSO2 as API gateway for mobile app, how to handle comsumer-key and secret securely How to securely include secret key/signature in iOS/Cocoa apps Problem with publishing Xamarin iOS app to App Store How to securely store data in iOS with React Native? How to securely store AWS service ids for iOS?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM