Security Best Practices

We have compiled a list of best practices along with recommended software for you to safeguard.

Best Practices

API keys are identifiers that authenticate access to your Brankas account. It is essential to safeguard your API keys. Here are some tips on how to keep your API keys safe and secure.

Store API Keys

We suggest the following software for storing API keys:

  • Obfuscation - Use third-party framework such as Obfuscator, Appfigurate, or code generation tool such as GYP
  • Encapsulation
  • Create a frame or static library to store the secret and import it as a project. Call the API key method to retrieve from the framework
  • Server Storage - API key can be retrieved from:
    • Own server through API server
    • Apple Services - On-Demand Resources, Plain-Text Download - CloudKit Database (private database from CloudKit Dashboard) - APNS (Silent Push Notification)
  • Save the key in Secure Enclave

Revoke API Keys

Due to security reasons and how OAuth has been set up, API keys cannot be revoked remotely. To revoke API keys, generate a new API Key and update the environments accordingly.

Anti-Reverse Engineering Helper Tools

Listed are tools for the anti-reverse engineer:

Brankas recommends limiting access to only users who requires the information.

  • DO NOT store API Keys as plaintext files in the Version Control System (VCS). Storing API Keys in the VCS may result in sharing it publicly. Thus, allowing anyone with the token to access your accounts.
  • DO NOT store tokens in email inboxes or chat logs. Tokens should only live in Brankas and production systems. You can retrieve API Keys from your Profile Setting page.
  • DO NOT store the token in user-accessible code such as browser-side, JavaScript, or Android apps that can be decompiled.

In case of Security breach

In case of incidents where an API Key has been accidentally pushed to a remote public repository, we suggest to rotate it. Deleting an access token from VCS is not sufficient because a VCS stores historical changes, is distributed and has automation assigned to new pushes.

Brankas recommends generating a new API Key and updating your environments to revoke access from the previous API key. Learn how to generate API key.