API Keys and Their Security on Coinance
In our latest update, we have implemented an exciting new feature where users can connect their exchanges with us. Many users who hear this, might be concerned about the security of this feature and heard news about API key hacks / scams in cryptocurrency Apps over the last few months. Therefore, I wanted to take the chance and outline how at Coinance we handle your API key pairs and deal with our users data in general. I will first write about our principles regarding our users privacy and secondly showcase on a very simple code example how our iOS Application handles the API keys of an exchange like Binance in our App.
If I am proud to say one thing about our App, then that we value our users privacy and security above all. Therefore, we already wrote in previous articles or posts on Reddit, that we don’t collect any data about our users holdings or data that would make it possible to trace them back. Everything we specifically don’t need for the user experience or usability, stays on the phone. The only thing which goes back to our servers, is data for example about your favourited coins so that we can send you push notifications according to them, and that even is anonymised in a way that we don’t know who you are. The second thing what we use is data about crashes and general usage behaviour e.g. which feature are clicked. But again we can’t tell from that data who you actually are.
With our latest update, we now introduced a second layer within our App. Signed up users are now able to connect their favourite exchanges with their API keys and secrets. Why do we want you to sign up for that? This has the simple reason that we are planning to launch really cool new features for our signed up users exclusively, such as an own wallet or exchange features, like e.g. buying Bitcoin on Coinance directly. By doing that we are planning to move closer to Coinbase, PayPal or Venmo and start going into the payment direction. And starting today, this is the first feature for our signed up users within Coinance.
But how does this new feature actually work with the API key pairs and how does it actually look in code if I set up an exchange on Coinance? For this I copied a few lines from our iOS Application to show you what we do with your key pairs. The summary is that all API key / secret pairs are securely encrypted and saved on your device and won’t be sent to our servers. This gives you the simple advantage, that you completely own your key pairs by yourself and secondly we reduce the risk of getting targeted by hackers, since we don’t have any knowledge about your keys.
The first step is to either manually enter the API key pair or scan the QR code of your API key pair. What actually happens then once you hit the “Save Account” button is the following:
// 1. First we initialise Apple’s keychain and read what has been entered or scanned into the textfields
let keychain = Keychain(service: Constants.keychainBundleID)// 2. We save the API key under it's name
keychain.set(apiKeyTextfield.text!, key: “binanceApiKey”)// 3. Same thing for the API secret
keychain.set(apiSecretTextfield.text!, key: “binanceApiSecret”)// 4. All done. This brings you back to your wallet overview
performSegue(withIdentifier: “goBackToWalletOverview”, sender: self)
Wow, congratulations to all coding newbies. If you have understood what we are doing up there, you have successfully read and understood your first lines of code. Wasn’t that difficult right? ;)
What happens next is basically that we access the above stored information at a given point in the App and make our call to Binance’s API. This looks like following:
private func retrieveBinanceWallets() { // 1. Retrieve the encrypted information from keychain
let binanceApiKey = try keychain.getString(“binanceApiKey”)
// 2. Check if you actually have set up Binance.
if binanceApiKey != nil {
// 3. Initialize a new binance exchange object
let binanceEx = BinanceExchange(provider: “Binance”, rank: 0) // 4. Call the fetch wallets function
binanceEx.fetchWallets() {() in self.noWalletsLabel.isHidden = true // 5. Add retrieved exchange object to array and sort it
self.embedvc?.arrayOfExchanges.append(binanceEx)
self.embedvc?.arrayOfExchanges.sort{ $0.rank < $1.rank } // 6. Reload the table and remove loading spinner
self.embedvc?.tableView.reloadData()
self.loadHelper.removeLoadingSpinner(spinner: self.spinner) // 7. Update the total balance
var allWalletBalancesTogether = 0.0 for wallet in binanceEx.wallets {
let walletBalance = wallet.native_balance[“amount”] as! Double
allWalletBalancesTogether = allWalletBalancesTogether + walletBalance
}
self.updateTotalLabel(addValue: allWalletBalancesTogether)
}
}
}
Number 4 fetches all wallets from a given exchange. Within that function we access the apiKey and apiSecret of Binance, make a HTTP call to Binance, get back the result, then convert it to your selected currency within Coinance and send the whole object back, which comes back out in number 5. I left out that step since that’s a lot of lines but basically we aren’t doing anything different from a security perspective as above. Just retrieving the apiKey and apiSecret from the keychain and then making the calls.
So overall, what you should learn from this post are the following two take aways:
- We value the privacy and security of our users very high and therefore don’t collect any unnecessary data about them.
- We don’t store or have access to any API key pairs. They all stay encrypted on the device and are only accessed once they are needed for the API calls.
I hope this small blog article brings some light into this whole project and I could explain it quite easy. If you have any further question feel free to comment on here, come in our Telegram group and discuss or shoot me an email.
Mathias is a 27 year old Software Engineer from San Francisco. He is interested in mobile app development, machine learning, and crypto currencies. In his free time he loves photography, traveling, and snowboarding.
