iOS

How to Safely Call OpenAI API in iOS Apps

Ethan Parker

As AI capabilities become more common in mobile apps, developers are looking for ways to integrate OpenAI APIs. While there are many tutorials and SDKs available, most teach methods that can be dangerous. The key principle to remember is:

Your app should never have direct access to OpenAI keys. Period.

Common Mistakes and Why They’re Risky

Many tutorials suggest storing the OpenAI key in a constant or in the project’s Info.plist. However, these methods make it easy for anyone to extract the key. Here’s why:

  1. Storing in Info.plist: The key is accessible by simply uncompressing the IPA file.
  2. Storing in code: Tools like strings can easily extract the key from the binary.

I tested this myself by cloning a ChatGPT client from GitHub, adding a fake OpenAI key, and compiling it. Using strings, I recovered the key in seconds, by searching for the prefix sk-:

You might think about obfuscating the key or downloading it from a server, but these methods aren’t secure either. Attackers can intercept traffic between the device and OpenAI servers, even with HTTPS, using tools like mitmproxy. Then the key can be simply read off the HTTP request header.

Certificate pinning isn’t a reliable solution either, as it can break if OpenAI rotates their certificate and doesn’t protect against jailbroken devices.

What About OpenAI’s Built-in Limits?

While OpenAI offers spending limits and endpoint restrictions, exposing your key is still risky. Attackers can use your key for their own applications or sell it on the black market. Plus, a single bad user could exhaust your account limit, affecting all your legitimate users. Finally, if your key is being exploited by bad actors, you cannot rotate it without affecting all users.

The Right Way to Do It

The safest approach is to make OpenAI calls from your own server. Your server can authenticate users, enforce limits, and securely store the OpenAI key. This method also allows you to update prompts and models without going through App Store review.

The downside? You’ll need to write and maintain backend code, which might not be ideal for mobile developers.

ServerlessAI: An Alternate Solution

ServerlessAI offers a simple solution. It provides APIs that mirror OpenAI’s but are safe for client-side use. Requests are forwarded to your chosen provider (OpenAI, Anthropic, Mistral, or Groq).

How to Use ServerlessAI in Your iOS App

  1. Choose how you want to authenticate your users

    • If you require users to sign in to use your product, you can use any identity provider that issues JWT tokens, such as Sign in with Apple or Sign in with Google
    • If you want to allow guest access, you can simply use a unique identifier like identifierForVendor
  2. Set up your ServerlessAI project

    • Visit ServerlessAI and create your project
    • Add your chosen provider’s API key
    • Configure JWT information if you’re using authentication
  3. Make API calls

    • Install MacPaw’s OpenAI client via Swift Package Manager
    • Initialize the client like this:
    import OpenAI
    
    let client = OpenAI(
        configuration: OpenAI.Configuration(
            token: "PROJECT_ID:(getUserJWT())",
            host: "openai.api.serverlessai.dev"
        )
    )
    

For a complete example of an iOS chatbot app using this method, check out our tutorial.

By following these steps, you can safely integrate OpenAI capabilities into your iOS app without compromising security.

← Back to Blog