Hard coding in IOS app

Question

We have an IOS app which connects to API/server through SSL connection. The SSL keys have been hard coded in the APP, the SSL certificate has expired and now the app is not functioning.

Q1. We want to avoid submitting the APP to the store as it takes upto 2 weeks to update the app.

Q2. We also want to get the SSL keys from CDN/store so that we dont hard-code it. But when we make the call to the store how do we ensure that its a secured connection?

What is the best way to get out of this situation?

Answer 1

I think you can use Google Tag Manager. You can publish new certificate through GTM instead of resubmit new ipa.

Answer 2

I am sorry to say, but there is probably no way to do it except to upload new app. Here you can see how long it takes on average for users to get App approved - it is not as bad as 2 weeks, it can be much shorter (especially if it is update, those usually take less time from my experience)

So for the second question, I would advice you not to do it. Those keys should be present on the device, and you would have to update the App with new codebase anyway.

You can as well update the key and then, later, update the key in advance if you need to (it does not expire every month, and if you have production application, you will probably update it from time to time).

If you really need to download the key, then probably most secure way how to do it would be to encrypt the key on server side, send it to device and decrypt on device (possibly using AES128, 256 or something similar). You can also use signed download links with expiration time to add extra layer of security (fe. amazon S3 buckets provide that functionality).

Hope it helps!