Hardcoded API Keys in IPA

What Is This Vulnerability

Hardcoded API Keys in IPA is a vulnerability where sensitive credentials are embedded in iOS application bundles. IPA files are ZIP archives containing the compiled Mach-O binary, property lists (.plist files), and bundled resources. Using tools like class-dump, otool, strings, or Hopper Disassembler, attackers can extract API keys, tokens, and secrets from the binary and its resources.

iOS developers sometimes assume that App Store distribution and code signing provide adequate protection against reverse engineering. However, any user with a jailbroken device or any developer with a valid Apple Developer account can extract and analyze IPA contents.

Why It's Dangerous

Secrets extracted from iOS bundles carry the same risks as Android key exposure:

• Backend service access — Supabase, Firebase, and cloud provider keys enable direct API interaction.
• Financial impact — payment processor keys (Stripe) and metered API keys (OpenAI, Anthropic) result in unauthorized charges.
• Data breaches — database connection strings or service role keys can expose entire databases.
• Account takeover — OAuth client secrets can be used to forge authentication flows.
• Regulatory violations — exposure of keys that access PII may trigger GDPR, HIPAA, or CCPA obligations.

iOS apps distributed through the App Store are available to billions of devices. A single hardcoded key in a popular app can be extracted within hours of release.

How to Detect

Extract and analyze the IPA file:

# Unzip the IPA
unzip app.ipa -d payload/

# Extract strings from the Mach-O binary
strings payload/Payload/App.app/App > strings_output.txt

# Search for common key patterns
grep -E "AIza[0-9A-Za-z_-]{35}" strings_output.txt          # Firebase
grep -E "eyJhbGciOi" strings_output.txt                       # JWT tokens
grep -E "sk_live_[0-9a-zA-Z]{24}" strings_output.txt          # Stripe
grep -E "sk-[a-zA-Z0-9]{20,}" strings_output.txt              # OpenAI

# Check embedded plist files
plutil -p payload/Payload/App.app/Info.plist | grep -i "key\|secret\|api"
plutil -p payload/Payload/App.app/GoogleService-Info.plist

AuditYour.app supports IPA uploads and performs automated extraction of the binary and all bundled resources, scanning for over 100 secret patterns across cloud providers, payment processors, and AI services.

How to Fix

Apply the same principles as Android — never embed secrets in the app bundle:

// BAD: Hardcoded in source
let supabaseKey = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

// GOOD: Fetch from secure backend at runtime
func fetchAppConfig() async throws -> AppConfig {
    var request = URLRequest(url: URL(string: "https://api.myapp.com/config")!)
    request.setValue("Bearer \(authToken)", forHTTPHeaderField: "Authorization")
    let (data, _) = try await URLSession.shared.data(for: request)
    return try JSONDecoder().decode(AppConfig.self, from: data)
}

Additional mitigations for iOS:

• Store runtime secrets in the iOS Keychain, never in UserDefaults or plist files.
• Use Apple's App Attest API to verify app integrity on the server side.
• Implement SSL pinning with URLSessionDelegate to prevent traffic interception.
• Ensure only non-privileged keys (anon keys) are bundled, with server-side rules enforcing actual security.
• Strip debug symbols and use bitcode to raise the bar for static analysis.