OAuth for iOS Applications
How to Solve for Security
It’s a common question that iOS developers need to answer when producing serious applications.
Where do you store an authentication token in an iOS application?
You might whack it in the keychain. That’s a good answer because you need to keep the data encrypted.
Yet you need to think about how the token is generated. If it’s an API token for a public API you want to avoid adding the token to a public GitHub repo.
So it might be better if you add the token during your build process. Yet we can do better still for general token usage.
A good solution is to use an authorization code flow with PKCE (Proof Key for Code Exchange) which is the commonly recommended method for mobile and native applications.
This article is going to talk us through PKCE on a theoretical level.
Proof Key for Code Exchange (PKCE)
The PKCE flow mitigates the risks associated with tokens, and provides a good level of security for mobile applications.
The key here is to limit the lifespan of the token, mitigating the risk in having a long-lived token.