App Development

Using PlistBuddy to inject app secrets and keys at build time

App keys and secrets

It’s generally good software engineering practice to keep API keys and secrets out of your source code and version control system. Today we will show how to use a developer tool called PlistBuddy to inject these API keys and secrets into your application at build time. divider 600

Use case - Push notifications

PlistBuddy can be applied to any situation in which you need to create or modify property lists on the fly. Let’s look specifically at the example of configuring an iOS app to integrate with a push notification provider. Implementing push notifications in a mobile application often involves working with a push notification provider like Urban Airship. In order to integrate with a service like Urban Airship, your application needs to be uniquely identifiable.

This is usually achieved using app keys and app secrets, hash values that are used in combination to identify and verify your application with the push notification provider.

In order to do this with an iOS application and Urban Airship, you need to use the Urban Airship SDK, and set up a configuration file to tell it which application you are. The uniquely identifying app key and app secret need to be passed to Urban Airship on app startup, and they are taken from the configuration file.

Putting the app keys and app secrets directly into the configuration will work, but when using version control like Git, keeping app keys and secrets in the repository can become a problem if the repository is compromised. The industry accepted best practice for handling this is to keep keys and secrets out of source control and rather store them securely in configurations. divider 600

Solution

To handle this, we decided to inject the app keys and secrets into the configuration file during the build process using PlistBuddy. Because our project was already set up with continuous integration and automating builds on a build server, setting this up didn’t take very long.

The first step is to set up environment variables on the build server. By keeping app keys and secrets as encrypted environment variables on the build server and injecting them during the build process, we can keep them out of our source code and version control systems. Properties list The second step is to set up our automated build script to modify the configuration file during the build process. Since the configuration file is a .plist, we can use PlistBuddy to modify the file and insert the app keys and secrets in the proper places. The following shell code snippet was added to our build script to modify the AirshipConfig.plist during the build process:

sh(%{
   /usr/libexec/PlistBuddy -c 'Set :developmentAppKey #{ENV["UA_DEVELOPMENT_APP_KEY"]}' ../Resources/AirshipConfig.plist
   /usr/libexec/PlistBuddy -c 'Set :developmentAppSecret #{ENV["UA_DEVELOPMENT_APP_SECRET"]}' ../Resources/AirshipConfig.plist
   /usr/libexec/PlistBuddy -c 'Set :productionAppKey #{ENV["UA_APP_KEY"]}' ../Resources/AirshipConfig.plist
   /usr/libexec/PlistBuddy -c 'Set :productionAppSecret #{ENV["UA_APP_SECRET"]}' ../Resources/AirshipConfig.plist
   /usr/libexec/PlistBuddy -c 'Save' ../Resources/AirshipConfig.plist
   })

This code snippet gets the environment variables from the build server and sets the properties on the AirshipConfig.plist file. By doing this we have been able to remove all app keys and secrets from our code repository. Storing them as encrypted environment variables on the build server is an easy and effective way to keep the keys and secrets out of source code. Note that this does not fully protect app keys and secrets. Because property lists are readable in the download from the app store, it is also recommended that property lists be encrypted for optimal security of sensitive app keys and secrets. divider 600

Other uses for PlistBuddy

PlistBuddy is an extremely useful command line utility for iOS and macOS developers who need to create or modify property lists for their applications. While we used it in this example to configure an app for push notifications, PlistBuddy can also be used for a variety of different development tasks.

These tasks can range from as simple as incrementing build version numbers for an iOS app, to complicated tasks like automated configurations for macOS applications and servers.

Quickstart-Guide-to-Kotlin-Multiplatform

A Quick Start Guide to Kotlin Multiplatform

Kotlin Multiplatform, though still experimental, is a great up-and-coming solution...

Read the article