mattt
commented
11 months ago @AlexeyYarmolovich Developers can follow Apple's guidance for Identity Pinning to help mitigate the kind of attack you describe.
Instead, they should communicate through their own backend, which securely stores the token and handles requests to Replicate.
That's certainly an option, but I think most folks probably aren't interested in running their own proxy.
App security is a complex topic, and mostly outside the scope of the README for this library. The warning in this library is intended primarily to remind developers not to copy-pasting an API key into source code. Any steps beyond that are context-specific, and it's the developer's responsibility to find a solution that matches their needs.
In readme there is a security warning that says: "Don't store secrets in code or any other resources bundled with your app. Instead, fetch them from CloudKit or another server and store them in the keychain." It might create the false impression that simply storing the token in a secure space is enough to protect it from common vulnerabilities. However, the token is passed as a header in network requests and can be easily intercepted using a proxy app. I suggest warning developers that a safer approach is to avoid storing the token on the client side. Instead, they should communicate through their own backend, which securely stores the token and handles requests to Replicate. This way, the security aspect of communication with their backend remains the developer's responsibility.