[cypherpunks01]

Even if you store API keys in code inside a distributed binary, isn't it pretty simple for users to mitmproxy and view API requests containing there keys sent? There's no real way to control API keys given out to users - if you want to hide them, you just have to proxy requests instead.

[KMnO4]

There's a really good iOS app called Proxyman[0] (the Mac app is also excellent) that lets you view HTTP requests that apps make from inside iOS.

If you're curious about this sorta stuff, I definitely recommend checking it out.

[0]: https://proxyman.io/ios

[mrbombastic]

Some people do cert pinning to prevent this, but generally yes it is pretty simple.

[thewataccount]

You can't do cert pinning if you're using the openai api directly though?

That only applies for internal api calls, at which point the requests/binary won't contain the openai key?

[varenc]

Ehh, I don't think it'd be that hard to implement cert pinning against OpenAI's APIs.

You just need some very permissive pinning, where you require any publicly trusted CA, to prevent MITM attacks. Basically only trust the root CAs a phone already trusts by default. You don't need coordination between the server and your client to implement this. All you have to do is prevent your TLS calls from trusting any certs signed by manually trusted CAs that Proxyman/Charles/etc might have had the user add.

Of course, that'll only delay the API keys leaking. With a jailbroken iPhone and Frida you can effectively disable cert pinning checks. Or extract the keys from memory, or binary analysis, etc.

[thewataccount]

> All you have to do is prevent your TLS calls from trusting any certs signed by manually trusted CAs that Proxyman/Charles/etc might have had the user add.

Yeah but I have certs signed by trusted root authorities a la letsencrypt?

[varenc]

The letsencrypt root CA is included in this. If you trust only a device’s default trusted CA all letsencrypt certs will work. Also they don’t have their own root CA: https://letsencrypt.org/certificates/

[thewataccount]

I'm dumb and realized I can get a letsencrypt cert but the domain won't match.....

[mrbombastic]

Yeah you are correct, only really can be done with apis you can control, even then it is a pain bc you need the certs and app in lockstep. But for example if your proxy api used an api key and you wanted an additional layer of security. Edit: sibling comment is interesting for an approach that might remove low hanging fruit