|
|
|
|
|
|
by tikkun
1166 days ago
|
|
|
If you want a solution that isn't perfect, but is at least slightly better: Store the key in your code but in a basic encrypted string, and then decrypt it at runtime. Yes, it's still easy to get if someone is motivated, but it's a lot harder to read the machine calls figuring out what method was used to encrypt the string (make it a method that can't be figured out from only the encrypted string), than it is to read the plaintext key from the Plist. Bad in theory, helpful in practice. |
|
|
You're much better off proxying calls from your own server API, having proper rate limits and authentication, and a strict API surface that doesn't permit arbitrary calls to whatever APIs you depend on