share

ENGINEERING

5min read

Protecting iOS Applications

Important to note: We have just released a brand new obfuscation tool for iOS apps, supporting the newest Apple’s products and Swift language. For more information and Github link, please click here. The repository described below is no longer maintained. We’d be more than happy to help with apps’ security issues. Shoot us an e-mail and we’ll get back to you soon!

Security of applications is especially vital in the mobile world. We need to use different tools to hide our IP against attackers or other companies which can try to copy our products. It’s rather simple when using web technologies. All your code sits on the server under your full control, and no one except you has access to sources and implementation details. It’s especially difficult for mobile devices, where you have to ship applications compiled in a format understandable for OS, i.e. Android or iOS. One of the techniques especially useful in hiding our secrets is obfuscation. Obfuscation makes programs, i.e. source or machine code, difficult for humans to understand. It isn’t irreversible, but most people will give up sooner.

There are different methods used to obfuscate applications. To name a few:

  • Rename class and methods
  • Encryption of strings and other constants
  • Methods inlining
  • Proxy methods
  • Virtualization of code
  • Tamper detection mechanisms
  • Anti-debug mechanisms
  • Control-flow obfuscation
  • Junk classes and methods

Do I need it?

In iOS it is especially crucial to use any kind of obfuscation. Due to Objective-C architecture any dissection of iOS applications is rather simple. You’ve probably heard about class-dump, cycript or Clutch. These tools make it very easy to dump and analyze any application built by you. This makes you vulnerable to anyone who wants to look into your code. He can even modify behavior, graphics and release it as his own.

What about the others?

In the Android world we have the amazing ProGuard made by Eric Lafortune, the speaker of 2014’s MCE. ProGuard is in fact industry standard, it’s well documented and everyone uses it. ProGuard not only makes applications more secure, but it creates compact code by shortening class and methods names and removing dead code.

That’s for Android, but what about iOS? It’s much worse. There are some tools, but almost all of them are commercial:

For over a year we were working on a project where security is especially important. We thought of something much simpler, yet very useful. We couldn’t find a tool that could be good for us, so we developed our own.

How does it work?

We parse the Objective-C portion of Mach-O object files. Parse all classes, properties, methods and i-vars defined in that file. Then we read all system frameworks doing the same (parsing Objective-C code structure). Then for each symbol from your executable that isn’t present in system frameworks we generate a random identifier consisting of letters and digits. The generated list of symbols is then formatted as a header file with C-preprocessor defines. This file is then included in your .pch file. When you compile your application next time every class or method present in header file will get a new name.

Functionality

We built the first version completely in BASH. What’s interesting, is that it was only 274 lines long. iOS-Class-Guard is the second release, rewritten completely from scratch as an extension for class-dump. Our goal was to cover all of the aspects of iOS app development. We’ve tried to leave as little as possible not obfuscated.

Major features:

  • Storyboards and XIBs - if you’re using Interface Builder to create UI for your app our tool will automatically find them and obfuscate them.
  • CoreData - this one is a bit trickier. The greatest benefit of our tool (generating obfuscated symbol names randomly) becomes the biggest obstacle in fully supporting CoreData. Even when a model is unchanged between obfuscator runs, symbols would get different identifiers. This could lead to, e.g. wiping out whole persistent store or app crash (depending on implementation). We’ve decided to exclude symbols found in CoreData model.
  • CocoaPods - we also thought about external dependencies in your project. If you’re including 3rd party code in your project, it’d be obfuscated as if it was your code. What if you’ve decided to go with CocoaPods? We thought about that, too. All dependencies added to your workspace will get obfuscated, as long as source code for them is included.
  • Crash Dumps - from time to time we all get them. It’s never a nice moment, but they help to fix issues with our apps. So you might wonder how to track the bug when the crash dump you’ve received contains only obfuscated symbols. We also prepared a tool to handle that. Our tool generates a symbols mapping file, which can be later used to reverse the process and replace obfuscated symbols in a crash dump file.
  • Symbol names deduction - this one is also a bit tricky. Objective C provides many ways to write the same part of code, i.e. you can define getter and setter but use . notation in your code as if it was a property and vice versa. To make it even worse, you can define custom getters and setters. We’ve tried to make our tool as robust as we could. So we’re matching method symbols with properties, we also handle standard property conventions for Objective C, i.e. using is prefix for boolean properties. For now, we don’t handle custom getters/setters which do not comply with convention.

Seamless integration

When creating iOS Class Guard one of our goals was to create a tool which will seamlessly integrate with your normal development workflow. We’ve tried to keep required code base changes at minimum level. For details, please check out our iOS-Class-Guard-HitHub page—just keep in mind that as it was stated before, the repository is not supported.

share


KamilLead Software Engineer
BłażejLead Software Engineer
TomaszSenior Software Engineer

LEARN MORE

Contact us if you have any questions regarding the article or just want to chat about technology, our services, job offers and more!

POLIDEA NEWSLETTER

Sign in and expect sharp insights, recommendations, ebooks and fascinating project stories delivered to your inbox

The controller of the personal data that you are about to provide in the above form will be Polidea sp. z o.o. with its registered office in Warsaw at ul. Przeskok 2, 00-032 Warsaw, KRS number: 0000330954, tel.: 0048 795 536 436, email: hello@polidea.com (“Polidea”). We will process your personal data based on our legitimate interest and/or your consent. Providing your personal data is not obligatory, but necessary for Polidea to respond to you in relation to your question and/or request. If you gave us consent to call you on the telephone, you may revoke the consent at any time by contacting Polidea via telephone or email. You can find detailed information about the processing of your personal data in relation to the above contact form, including your rights relating to the processing, HERE.

Data controller:

The controller of your personal data is Polidea sp. z o.o. with its registered office in Warsaw at ul. Przeskok 2, 00-032 Warsaw, KRS number: 0000330954, tel.: [0048795536436], email: [hello@polidea.com] (“Polidea”)

Purpose and legal bases for processing:

 

Used abbreviations:

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

ARES – Polish Act on Rendering Electronic Services dated 18 July 2002

TL – Polish Telecommunications Law dated 16 July 2004

1)        sending to the given email address a newsletter including information on Polidea’s new projects, products, services, organised events and/or general insights from the mobile app business world |art. 6.1 a) GDPR, art. 10.2 ARES and art. 172.1 TL (upon your consent)

Personal data:name, email address

2)       statistical, analytical and reporting purposes |art. 6. 1 f) GDPR (based on legitimate interests pursued by Polidea, consisting in analysing the way our services are used and adjusting them to our clients’ needs, as well as developing new services)

Personal data:name, email address

Withdrawal of consent:

You may withdraw your consent to process your personal data at any time.

Withdrawal of the consent is possible solely in the scope of processing performed based on the consent. Polidea is authorised to process your personal data after you withdraw your consent if it has another legal basis for the processing, for the purposes covered by that legal basis.

Categories of recipients:

Your personal data may be shared with:

1)       authorised employees and/or contractors of Polidea

2)       persons or entities providing particular services to Polidea (accounting, legal, IT, marketing and advertising services) – in the scope required for those persons or entities to provide those services to Polidea

 

Retention period:

1)       For the purpose of sending newsletter to the given email address – for as long as the relevant consent is not withdrawn

2)       For statistical, analytical and reporting purposes – for as long as the relevant consent is not withdrawn

Your rights:

 

Used abbreviation:

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

According to GDPR, you have the following rights relating to the processing of your personal data, exercised by contacting Polidea via [e-mail, phone].

1)       to access to your personal data (art. 15 GDPR) by requesting sharing and/or sending a copy of all your personal data processed by Polidea

2)       to request rectification of inaccurate personal data
(art. 16 GDPR) by indicating the data requiring rectification

3)       to request erasure of your persona data (art. 17 GDPR); Polidea has the rights to refuse erasing the personal data in specific circumstances provided by law

4)       to request restriction of processing of your personal data (art. 18 GDPR) by indicating the data which should be restricted

5)       to move your personal data (art. 20 GDPR) by requesting preparation and transfer by Polidea of the personal data that you provided to Polidea to you or another controller in a structured, commonly used machine-readable format

6)       to object to processing your personal data conducted based on art. 6.1 e) or f) GDPR, on grounds relating to your particular situation (art. 21 GDPR)

7)       to lodge a complaint with a supervisory authority,
in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing
of personal data relating to you infringes the GDPR
(art. 77.1 GDPR)

No obligation to provide data:

Providing your personal data is not obligatory, but necessary for Polidea to provide you the newsletter service

Refusal to provide the above data will result in inability to receive the newsletter service.

Profiling

In the process of providing the newsletter service, we make decisions in an automated way, including profiling, based on the data you provide.

 

“Profiling” means automated processing of personal data consisting of the use of your personal data to evaluate certain personal aspects relating to you, in particular to analyze or predict aspects concerning your personal preferences and interests.

 

The automated decisions are taken based on the analysis of clicked and viewed content. They affect the targeting of specific newsletter content to selected users registered to receive the newsletter service, based on the anticipated interests of the recipient.