Secure your API keys in iOS/Android apps using Firebase

Case Study: OpenAI API

This article focuses on OpenAI API Keys, but the same technique applies to any API key that is required to be sent in plain text as part of the request, either in headers or in body.

Introduction:

In the past few months all of us have witnessed an abundance of apps that use OpenAI APIs to try to mimic the functionalities offered by ChatGPT. There are hundreds of apps (at least in the AppStore) that have their own version of ChatGPT, but there’s ONE. BIG. PROBLEM.

The problem:

Driven by the desire to be among the first ones in the market (not the case anymore), most of the developers used OpenAI APIs as-is, sending the API-key in the header of their requests, without bothering to protect their API-keys at all.

See where I’m going with this?

Anyone with some basic knowledge on using a proxy can (and will) get their API key in a matter of seconds and before the developer knows it, they may wake up with hundreds/thousands of $$$ evaporated from their accounts.

One may think “ok, let’s use SSL pinning to make sure the communication stays private and data integrity is maintained”, but it’s not that simple since OpenAI doesn’t offer access to their certificates (at the moment of writing this article).