As AI capabilities become more common in mobile apps, developers are looking for ways to integrate OpenAI APIs. While there are many tutorials and SDKs available, most teach methods that can be dangerous. The key principle to remember is:
Your app should never have direct access to OpenAI keys. Period.
Many tutorials suggest storing the OpenAI key in a constant or in the project’s Info.plist
. However, these methods make it easy for anyone to extract the key. Here’s why:
Info.plist
: The key is accessible by simply uncompressing the IPA file.strings
can easily extract the key from the binary.I tested this myself by cloning a ChatGPT client from GitHub, adding a fake OpenAI key, and compiling it. Using strings
, I recovered the key in seconds, by searching for the prefix sk-
:
You might think about obfuscating the key or downloading it from a server, but these methods aren’t secure either. Attackers can intercept traffic between the device and OpenAI servers, even with HTTPS, using tools like mitmproxy. Then the key can be simply read off the HTTP request header.
Certificate pinning isn’t a reliable solution either, as it can break if OpenAI rotates their certificate and doesn’t protect against jailbroken devices.
While OpenAI offers spending limits and endpoint restrictions, exposing your key is still risky. Attackers can use your key for their own applications or sell it on the black market. Plus, a single bad user could exhaust your account limit, affecting all your legitimate users. Finally, if your key is being exploited by bad actors, you cannot rotate it without affecting all users.
The safest approach is to make OpenAI calls from your own server. Your server can authenticate users, enforce limits, and securely store the OpenAI key. This method also allows you to update prompts and models without going through App Store review.
The downside? You’ll need to write and maintain backend code, which might not be ideal for mobile developers.
ServerlessAI offers a simple solution. It provides APIs that mirror OpenAI’s but are safe for client-side use. Requests are forwarded to your chosen provider (OpenAI, Anthropic, Mistral, or Groq).
Choose how you want to authenticate your users
identifierForVendor
Set up your ServerlessAI project
Make API calls
import OpenAI
let client = OpenAI(
configuration: OpenAI.Configuration(
token: "PROJECT_ID:(getUserJWT())",
host: "openai.api.serverlessai.dev"
)
)
For a complete example of an iOS chatbot app using this method, check out our tutorial.
By following these steps, you can safely integrate OpenAI capabilities into your iOS app without compromising security.