My app registers a NSURLProtocol subclass that intercepts one specific URL. The protocol replies to requests with a secret key.
@implementation PrivateURLProtocol
// ignore everything besides keyURL
+ (BOOL)canInitWithRequest:(NSURLRequest *)request
{
return [request.URL isEqual:keyURL];
}
// respond with secret key
– startLoading
{
NSURLResponse *response = [[NSURLResponse alloc] initWithURL:self.request.URL
MIMEType:@"text/plain" expectedContentLength:-1 textEncodingName:nil];
[self.client URLProtocol:self didReceiveResponse:response
cacheStoragePolicy:NSURLCacheStorageNotAllowed];
NSData *data = [@"Swordfish" dataUsingEncoding:NSUTF8StringEncoding];
[self.client URLProtocol:self didLoadData:data];
[self.client URLProtocolDidFinishLoading:self];
}
// boilerplate
– (void)stopLoading { }
+ (NSURLRequest *)canonicalRequestForRequest:(NSURLRequest *)request {
return request;
}
@end
Only my code and the libraries I link against should be able to see the key. How might an enterprising user obtain my secret key? Is this secure?
For those curious, this is part of a DRM setup. AVPlayer will request the key so it can play encrypted media.