Security Best Practices
We have compiled a list of best practices along with recommended software for you to safeguard.
Best Practices
API keys are identifiers that authenticate access to your Brankas account. It is essential to safeguard your API keys. Here are some tips on how to keep your API keys safe and secure.
Store API Keys
We suggest the following software for storing API keys:
- Obfuscation - Use third-party framework such as Obfuscator, Appfigurate, or code generation tool such as GYP
- Encapsulation
- Create a frame or static library to store the secret and import it as a project. Call the API key method to retrieve from the framework
- Server Storage - API key can be retrieved from:
- Own server through API server
- Apple Services - On-Demand Resources, Plain-Text Download - CloudKit Database (private database from CloudKit Dashboard) - APNS (Silent Push Notification)
- Save the key in Secure Enclave
Revoke API Keys
Due to security reasons and how OAuth has been set up, API keys cannot be revoked remotely. To revoke API keys, generate a new API Key and update the environments accordingly.
Anti-Reverse Engineering Helper Tools
Listed are tools for the anti-reverse engineer:
- IOSSecuritySuite
- Jailbreak Detection
- Debugger Detection
- Runtime Hook Detection
- Thales Protector Oath SDK
Brankas recommends limiting access to only users who requires the information.
- DO NOT store API Keys as plaintext files in the Version Control System (VCS). Storing API Keys in the VCS may result in sharing it publicly. Thus, allowing anyone with the token to access your accounts.
- DO NOT store tokens in email inboxes or chat logs. Tokens should only live in Brankas and production systems. You can retrieve API Keys from your Profile Setting page.
- DO NOT store the token in user-accessible code such as browser-side, JavaScript, or Android apps that can be decompiled.
In case of Security breach
In case of incidents where an API Key has been accidentally pushed to a remote public repository, we suggest to rotate it. Deleting an access token from VCS is not sufficient because a VCS stores historical changes, is distributed and has automation assigned to new pushes.
Brankas recommends generating a new API Key and updating your environments to revoke access from the previous API key. Learn how to generate API key.
Updated 10 months ago