How do I keep credentials out of source control on iOS

Question

My iOS application needs credentials to connect to several APIs. Because the project is open source, I don't want to check the credentials into the source code repository (git).

Ultimately, I want to be able to do something like this in my application code:

googleMapsApiKey = [AppCredentials googleMapsApiKey];

Where AppCredentials is initialized with a configuration file not under source control.

In the past, I've been using dynamic languages like Python or Ruby and arrived at solutions like this one to keep credentials out of source control. The approach is something like this:

1. have a public API which, at run time, parses a file containing all your credentials.
2. The config file containing all the passwords is transmitted out of band (e.g. encrypted in an email).
3. distribute an example credentials file to serve as a template for other developers

However, I don't know how to apply this approach on iOS. I can't just drop a 'passwords.json' file in the source root and parse it on app initialization. I can't put something in the app bundle, because the bundle is also checked into version control.

Note that this won't stop malicious people from extracting the credentials from the compiled app. I'm not looking to solve that problem at the moment. With this question I'm only interested in keeping the credentials out of source code.

Answer 1

This is really an SVC question, and from that point of view you want to simply add the configuration to a single file and have that file ignored by SVC.

Generally, I would add into the 'read me' file that this configuration file needs to be created at a specified location before the project will be valid.

Then, add the file to the project and give it target membership (so it's copied into the bundle at build time). Now, in the code, you can use something like:

[[NSBundle mainBundle] pathForResource:@"accountConfig" ofType:@"plist"];

to get the path to the file to load.