Best practice for storing API key in-app?
Hello — crossposting from the Slack since I didn't get a response (https://pendo-connect.slack.com/archives/C743V48K0/p1727890736893159)
I'm new to Pendo, and I'm adding the mobile SDK to an iOS + Android project.
Following this installation instruction (https://github.com/pendo-io/pendo-mobile-sdk/blob/master/ios/pnddocs/native-ios.md#step-2-establish-a-connection-to-pendos-server-on-app-launch), I noticed that the API key is a static JWT token.
But it feels weird adding something to my app like this:
let myPendoKey = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
PendoManager.shared().setup(myPendoKey)
I feel like someone could extract this key by decompiling the app. Does anybody have a pattern for securely storing this key in their app? And if the key is stolen, what's the worst an attacker could do with it?
Thanks!
Comments
Hi Brandon,
Looking into that Slack channel you mentioned as we're not aware of it.
In regards to your question, the API key is a static JWT token and it is possible to retrieve it by decompiling the app as you mentioned. Though access to your app key would not allow access to your subscription or users' data. Someone with the app key could potentially send garbage data to your subscription but that is about it. To avoid this scenario we do offer an alternative Secure Metadata Session integration which requires additional setup effort but would allow you to authenticate the source of the data sent to your subscription.You can read more about here: https://support.pendo.io/hc/en-us/articles/360039616892-Send-signed-metadata-with-JWT
The majority of our customers just use the regular integration provided on the github and if their is fear that the app key has been compromised you can contact us to assist.
Let me know if you have further questions.
Hello, Noam,
It's good to know that the token is only permissioned to send data to our instance. It sounds like we can take action if we feel that we're under attack, but that is not a worthwhile problem to address on the initial implementation.
Thanks,
Brandon
Please sign in to leave a comment.