What’s the best way to use environment variables for Pythonista? And how do I set them in the first place? I’m looking to not store an api key in a file if I can avoid it. I’ve been all through the settings and I nothing jumped out at me.
I do realise I could import keys from an external file but I’m surprised I haven’t seen anything specific for Pythonista since we don’t have that level of customisation with our (i)OS :)
Env variables are not persistent, so that won't work, since you would have to set it every time you want to use it. Environment variables are mostly used for scripts intended to run from the command line.
Check out the keychain module in the docs -- this uses the iOS keychain, and is a semi secure way to store things like passwords.
Be careful that keychain is not shared between Pythonista running modes, like normal and appex.
And not shared between devices, like you could do with a parameters file.
ahh no worries then.
What's the best way to "secure" these keys to be used by multiple devices?
Obviously importing them from another file from the cloud means they are "on the cloud".
Can python scripts in the Cloud data area access scripts on your device area?
I think I'll probably just include a key script file on each device, I'm guessing that's the norm? I don't plan to distribute that file off my device, should I be concerned about encrypting it?
I suppose you could have a file in iCloud, so it is distributed to multiple devices, but encrypt the file first (iirc pythonista comes with pycrypto). You would store the password in your keychain to decrypt on device (or prompt for a password if you are super paranoid).
I guess the question is what do you think your threat is -- someone hacking your iCloud account? Someone gaining access to one of your devices, unlocked? Also, are you storing your GitHub credentials (which could be easily revoked if compromised, and maybe just is annoying and embarassing), or the key to your bitcoin wallet where you have your life fortune stored ...
Good point re local decreyption key and storing it in the cloud.
TBH, it's more an exercise in "how" to do it, mostly because I've never worried too much because it is only me. But I'm looking to want to do more interesting stuff with APIs that are potentially dangerous (very limited financial access) and also "play" with the idea of using git a bit more (I am aware of .gitignore and will be using it).
No github login credentials or deliberate sharing of any ssh keys or anything like that, certainly not intentional.
With "the cloud: it's not so much a concern of a targeted attack or anything like that, but just a leaking of information, say through an app that may have too much privilege or a little more scope than what I intended. And just about learning better practices.
For the time being I have independent files on the devices, but this project is going to get bigger (hopefully) and so I might move development to an actual computer as I am always hampered by doing real coding on the ipad. I DO do it, but it's just never great.
For the time being I just have a single import which has the credentials on the device itself, ie not in the cloud. It's probably better that way :)
Hi @madivad did you end up finding a solution for this? I need to cache API tokens across Pythonista runs, and am curious to know whether you've found a way to store these outside of the code in a way that is reasonably secure and sharable across devices.
Again, it depends on what you mean by reasonably secure.
Are you worried about someone with access to your unlocked device? If so, there are few secure options (without implementing your own password, or keychain set_master_password), because anything that your app can access can also be accessed by others.
If that's not your concern, then many options are equally secure:
File local to your device
Something stored in your Keychain
(Since files are encrypted on all newer devices)
File stored in iCloud also seem reasonably secure, assuming your iCloud account is secure. If you are someone who is likely to succumb to a phishing attack, then maybe that's not a good idea.
Though you could also encrypt the file with a password for storage in iCloud, if you are really paranoid.
Ssh keys shouldn't change frequently, so using ftp or samba or a temporary web page or temporary git server would all work to get files into the device one time. Also, google api keys can usually be downloaded directly from the developer dashboard or whatever it is called these days, directly to each device.
Thanks @JonB. I'm looking to cache API keys for Dropbox (see this thread) so "reasonably secure" should probably mean "invisible from access if someone gets access to the device".
The use case / need is to store short-lived authentication tokens used for Dropbox API calls. Although this pattern-matches against the environment variables option, these tokens need to be refreshed fairly frequently. The refresh is relatively painless/automated, but still results in an updated key values that needs to be stored. I suspect an .env file or similar stored somewhere that the Files app can read it directly is probably not a good solution since these keys might allow access to sensitive information,
.
Encrypting a settings file in iCloud at rest might work but I'm not clear how to do that if the python code that would decrypt the data is also stored in iCloud -- wouldn't that mean someone could just read the Python code and figure out how to decrypt it? I might be missing something here.
I'd prefer something less tied to the Mac ecosystem, but maybe Keychain is the best option to explore?