I'm creating an iPhone app which needs to connect to a PHP-based website. The iPhone app will retrieve and add records. I'm guessing the communication between the website and the iPhone app should be controlled by an API key. iPhone app provides it and website checks for it.
I'm guessing I'd have to store that API key in the iPhone application itself, right? So my question; is storing the API key in the iPhone application risky? Can't someone somehow gain access to my API key and impersonate the iPhone app thereby gaining access to the website? or is this pretty difficult to do? If I'm thinking about it the wrong way, please tell me if there are better ways.
Whether you need to keep it really secret or not, you will have to encrypt and obfuscate it anyway, just to protect yourself from casual hackers.
On the other hand, I don't believe you can stop a determined hacker. A combination of jailbreak, gdb and a traffic sniffer will defeat nearly any protection you can think of. Investing heavily in such protection rarely makes sense, so you will have to find a compromise between wasting a lot of time and effort and having your API key hackable.
Personally, I like the idea of having the API key in an obfuscated form inside the application binary because the binary you get from App Store is encrypted. A little ptrace() hackery with PT_DENY_ATTACH can further complicate (but will never prevent completely) getting to your app through gdb. Chances are, this will be enough to avoid having your app floating all around the Internet in torrents in decrypted form. Then you will have to use HTTPS just because sniffing traffic is ridiculously easy and doesn't even require jailbreaking.
One more important consideration. If HTTPS is out of the question and you have to send the API key in HTTP requests, forget about all of the above. It doesn't make sense protecting the key in the application bundle if it's sent in plain text over network.