What is the best way to store ApiKeys, ClientSecrets in an app?

What is the best way to store apikeys, client secrets and other sensitive data in an app? Currently i have them stored in a plist file. Is this the right(or a safe) way to do this? Are there any alternatives?

It really depends on how sensitive it is. A user could connect the device to a browsing tool and be able to read that plist, so it is not particularly safe. Have you considered protecting the file with something like SecKeyEncrypt/Decrypt (available in iOS since the start)? You could store an encrypted blob in the Documents directory, then read it into memory when required after decryption and update it as necessary. The key thing would be never to write the sensitive values to the file system in decrypted form. You would probably need to request that the user create some kind of password as an input to the encryption scheme because otherwise the password might be written to the filesystem, which is not as easy but still quite easy to defeat for a determined attacker.

If what you are doing must be really, really secure, consider hiring someone who really knows this stuff. I wouldn’t trust myself to do it if it was my own financial data, for instance :wink: