Batson#iOS devs: What is the proper/accepted way of bundling info like client IDs for your app to use for API networking?
Michael Thole@batson IME, it’s generally just fine to hardcode the client ids in your Swift code. You will need to treat the id as not secret, though— it’s only mildly obfuscated.
@mthole You wouldn't put in in a config file or anything?
@batson I wouldn't use a .plist file that gets embedded into the app and dynamically read from or anything like that-- that just adds complexity for no benefit IMO.
I would try to structure the code for my app such that all this type of stuff is available in one place (i.e. Config.swift that vends a struct with some `let` properties) and then injected into actual usage.
@mthole Wouldn't the benefit be more security for the client ID, potentially preventing bad actors from impersonating your app if they decompile the source code? Probably would never actually happen, but it could in theory.
@batson Dynamically loading from a configuration file that you ship with the app would be even more accessible... so that's a lose-lose.
You could dynamically load the configuration over HTTPS, removing the secret from your .ipa bundle. Better! But "bad guys" could still run your app with an HTTPS proxy and gain access to your secrets that way. Then you get into certificate pinning and other arms-race stuff that usually isn't a good use of your time.
@mthole You’ve got a point about the never ending arms race. I’ll take your advice about using a neatly organized struct for it 👍