I'm new to app development and am currently developing an ios app using swift in xcode. During the app development process, it's been brought to my attention that I shouldn't store sensitive information such as API secrets as local variables. I'm assuming this is because there are methods of viewing an app's code.
The app I'm developing has no accounts or user log-in, and I don't want it to. For simplicity, I'll explain it this way:
A user may make a "room" with a certain room ID specified by that user. The user's device has an associated ID that is saved to a database to show that the created room is owned by that user.
Another user, specified as a guest, may join said room with said room ID. When they attempt to join the room, their device ID is checked against the database, and a local Boolean is specified stating whether or not this user is the host.
Whether or not the user is the host, a segue commences to another view controller, and the Boolean is sent too. From this point on there are functions and statements that only get called if the Boolean specifies that the user is the host, allowing only hosts certain permissions.
My worry is that there is some way to exploit this such that guests may somehow change or set that local Boolean to signify that they are the host when they are not. Should I worry about this as a potential security issue? No personal information of hosts or guests is saved or used in this app outside of device-specific IDs, which are saved in or checked against the database, but I would still like the security of only allowing hosts specific room permissions.
I'm assuming this is because there are methods of viewing an app's code.
Not precisely, but it's best if you assume this is true. Your exact source code is not available, but any data stored in the app can be extracted, and any algorithm the app implements can be reverse engineered. You cannot hide anything in an app you ship to a user.
My worry is that there is some way to exploit this such that guests may somehow change or set that local Boolean to signify that they are the host when they are not.
This is true, but isn't really the main security concern. The fundamental concern is that the server can never trust an app. I am free to create my own app that connects to your server and sends whatever I want. The server must be resilient to that. So things like "room owner" checks must be performed on the server. You cannot rely on the app performing them. You have to assume the app is under the complete control of its user. Given that, what security issues do you see?