I’ve been thinking about how best to best store basic API keys and a private key for signing requests I make to a Linode VPS for a small apns database/server app. One idea is to use On-Demand resources which get loaded at runtime. Not sure how secure that is, and not available to a Linux executable.
The other is a bit more complicated, but the main idea is to create a binary framework with a few static constants on an enum. The main iOS app components and server components would be two separate packages, both using shared package dependencies for models, etc but would also include the framework containing keys as a binary target.
I hear this is how companies distribute closed source projects and libraries because people can’t use decompiling it and snoop. I saw some development with the latest static Linux sdk, was playing with the 6.2 toolchain in Xcode 26, and thought why couldn’t I leverage the same tech companies use but for something very simple and tiny.
On a security level, I would still need to include API keys in requests headers but I assume HTTPS would cover that obfuscation.
Would a binary target with a few static constants be a viable way to distribute secrets in an app? I feel like there might be some obvious pitfalls or I would have seen someone try this when XCFramework got some love a few years back.
Roast me, amigos!