Best IT Recipes

IPhone / iPad Obfuscated Application Code - Is It Possible? Worth it?

I have learned quite a lot, both in SO and google-ing everywhere, but I cannot find a direct answer regarding obfuscation code for iPhone / iPad applications written in Objective-C.

My questions are:

  • Is there any way to do this? If so, how?
  • Is it worth it?
  • Is Apple resolved or has problems with it when the application is sent to them?
+55
iphone ipad obfuscation store
Apr 05 '11 at 18:45
source share
5 answers

There seems to be no code for Objective-C for the obfuscator. But suppose for a moment that it exists.

Apple will probably not give up the running application if it does not work. The main question: what is the meaning of obfuscation? Usually you want to obfuscate the code to protect your knowledge, for example, if your program uses copy protection that you want to complicate for a potential cracker, or if you use some advanced algorithm, you do not want business competitors to be able to decompile him.

Copy protection has already taken care of iOS. Although through jailbreaking a normal application can be copied and launched, I would say that the actual number of users who do this is quite low (at least much lower than on regular computers such as PCs and Macs). Do you expect piracy to have such a big problem that you need to confuse?

If you have important knowledge to protect, then obfuscation can be helpful. Obfuscation has its drawbacks: you can no longer debug your tangled application. Crash reports will be useless.

You can also read Obfuscating Cocoa's article.

Let's get back to the fact that there seems to be no obfuscator: what you can do is a trick: let's say you have a headline like this:

@interface MyClass : NSObject { } - (void)myMethod;

You can do cheap obfuscation as follows:

 #ifndef DEBUG #define MyClass aqwe #define myMethod oikl #endif @interface MyClass : NSObject { } - (void)myMethod;

This way, you can use significant characters in your source, but the compiler will turn it into "garbage" when it is not compiled for debugging.

+50
Apr 05 '11 at 19:17
source share
  • Yes, you can take a look at EnsureIT for Apple iOS or Contaxiom Code Protection
  • It depends. Security usually introduces complexity; you must balance it between usability.
  • Apple should not have any problems with it (correct me if I am wrong), and I personally have several applications that use the code obfuscator.
+29
Feb 17 2018-12-12T00:
source share

In addition to the earlier answers, there are now several third-party tools that offer some degree of protection against obfuscation and integrity, including: -

  • Arxan,
  • Metaphorical,
  • Cryptanium

They vary in scope and include: -

  • Obfuscation control flow, for example. ARM command streams are distorted by redundant instructions to hide the original purpose of the code,
  • Renaming a class and a method - renames your methods and classes to meaningless names, although you have to be careful when using it, since you can easily break your application because the Objective-C runtime expects to find specific names,
  • String encryption - all static lines in the application are encrypted, and the code is inserted to decrypt the lines immediately before use, to make static analysis more difficult
  • Anti-debugging code is inserted to break regular debuggers (not always successfully),
  • Anti-tamper - usually creates a network of checksums that protect the binary from modification,
  • Objective-C runtime protection - usually checks registered methods for implementing obj-c to make sure that they are in the application and were not "swizzled".

All these tools are very expensive and not without problems, so you really need an application that requires a high degree of integrity to consider them, for example. banking or where DRM is very important.

For these types of applications, you will also need qualified penetration testers to make sure your application does not open in other ways, since these tools are often as good as the people using them, and there are other OS vulnerabilities that need to be mitigated. that the tools are not addressed.

+10
09 Oct '13 at 8:44
source share

The application executable file is already encrypted by Apple, and the application sandbox executable code segment cannot be written, so you cannot perform additional encryption that requires modification of the code at runtime. And the transition of the Objective C / C compiler optimizer is already creating something very different from the source code. Using more C and less Objective C will show fewer names of your functions, since method names are embedded in visible plain text, but C function names are not. Thus, any code such as secret secrecy should probably be encoded in plain C and compiled with an optimizer that has completely flipped over. You could confuse any webKit Javascript built into the application bundle, or any other VM built-in code (until the interpreted code loads).

+1
Apr 05 '11 at 19:20
source share

Probably not because Objective-C is compiled into processor instructions, but not interpreted or compiled into byte code, so decompiling the code will already lead to rather obscure results. Obfuscation is what you usually only need when you need to distribute the source code of your code, for example, in interpreted languages, such as JavaScript, to run it, even if you want the code to remain secret.

-6
Apr 05 '11 at 19:16
source share


More articles:


All Articles