Categories
api-key authentication ios secret-key security

Secure keys in iOS App scenario, is it safe?

I am trying to hide 2 secrets that I am using in one of my apps.

As I understand the keychain is a good place but I can not add them before I submit the app.

I thought about this scenario –

  • Pre seed the secrets in my app’s CoreData Database by spreading them in other entities to obscure them. (I already have a seed DB in that app).
  • As the app launches for the first time, generate and move the keys to the keychain.
  • Delete the records from CoreData.

Is that safe or can the hacker see this happening and get those keys?

*THIRD EDIT**
Sorry for not explaining this scenario from the beginning – The App has many levels, each level contains files (audio, video, images). The user can purchase a level (IAP) and after the purchase is completed I need to download the files to his device.

For iOS6 the files are stored with Apple new “Hosted Content” feature. For iOS5 the files are stored in amazon S3.

So in all this process I have 2 keys:
1. IAP key, for verifying the purchase at Apple IAP.
2. S3 keys, for getting the files from S3 for iOS5 users:

NSString *secretAccessKey = @"xxxxxxxxx";
NSString *accessKey = @"xxxxxxxxx";

Do I need to protect those keys at all? I am afraid that people will be able to get the files from S3 with out purchasing the levels. Or that hackers will be able to build a hacked version with all the levels pre-downloaded inside.