At Fueled, we take immense pride in developing applications that excel in providing an exceptional user experience while also prioritizing security and privacy. To uphold these standards, we implement rigorous security measures throughout our development process. A key practice we adhere to is ensuring that private keys and tokens are never stored as plain strings on devices or in the application source. Given that they are relatively easy to extract from an app binary, this approach helps us to safeguard sensitive information and maintain the integrity of our applications, offering our users a more secure and trustworthy experience.
For iOS and other Apple platforms, CocoapodsKeys was our long-time go-to solution which ensured that these per-user config settings were stored securely in the developer’s Keychain, and not in the application source. In 2019 when Apple introduced the Swift Package Manager (SPM), it became the go-to choice for managing 3rd party package dependencies for the team at Fueled and iOS developers elsewhere, as more and more open source frameworks added support for Swift Package Manager. While this transition from Cocoapods to Swift Package Manager worked well for us, we couldn’t use CocoapodsKeys as it’s meant to work exclusively with Cocoapods as a dependency manager.
It was also the time we noticed inconsistencies in these workflows, as iOS and Android teams had gravitated towards different tools. While the iOS team relied heavily on CocoapodsKeys (until then), the Android team was storing some of the keys in the code base without obfuscation, while storing the more sensitive ones as environment variables. With Cocoapods not a solution anymore and we set off with an aim to find a solution that could work not just for iOS but for other mobile platforms as well.
As one of the many initiatives we took to unify the tools and practices we used across both the teams, this initiative was especially critical to our efforts in improving our security processes for all our engineering platforms. The process of unifying our toolset has since helped us foster better collaboration, streamline workflows, and simplified knowledge sharing for our entire mobile practice.
Enter Arkana
Arkana [noun ‧ secret knowledge¹ — ar‧ka‧na | \är-ˈkā-nə] came as a recommendation from the very team who built and maintained CocoapodsKeys. Arkana is a fantastic open source tool that helps with managing app secrets such as API keys away from the code base. It also provides obfuscation when injecting these keys to the source code during compilation, making it a little bit more difficult for casual attackers to discover. Our iOS team first gave it a try and came to be super impressed with it and how easily it fit into our development workflow. However, while Arkana worked great for iOS (or Apple platforms in general), it lacked support for Android and other mobile platforms.
This led us to search for an alternative tool, but we just couldn’t find something as reliable as Arkana that provided support for both Android and iOS. At this point we were faced with a choice to either build our own tool from the ground up, or build upon Arkana to support Android as well. Thankfully, the choice was easy— contributing to Arkana made obvious sense, as it ensured consistency across both platforms but also provided us with a great opportunity to contribute to the open-source community.
And we didn’t stop there. Over the years, as our experience with Flutter and Kotlin Multiplatform (KMP) grew, we built on our previous contributions to Arkana by adding support for both. Now, Arkana supports all major native and cross-platform mobile development platforms, including iOS, Android, Flutter, and KMP.
Lastly, we can’t stress enough how important it is to securely store API keys and tokens to protect your app’s integrity and your users’ data. By following best practices and implementing strong security measures, you can greatly reduce the risk of unauthorized access and potential breaches. If you’re searching for a reliable tool to help manage this crucial aspect of your development process, give Arkana a try. Arkana is a powerful and user-friendly tool designed to securely store and manage your sensitive keys and tokens, making it easier for you to maintain high security standards in your applications.
This article wouldn’t have been possible without Hussein Aladeen’s support.