Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

App Store code obfuscation?

Just wanted to make sure: What has happen to all the strings, urls I have in my binary?

When I build the project and later I browse the contents of the binary (when the project is called something, the something.app is generated and inside the binary: "something") using Smultron or any other source editor I can easily find all the strings I'm using in the app, in this case - URL to the API and localization keys like "login TITLE" (linking to Localization.strings).

My application has been approved and I downloaded the app. Renamed the ipa to zip and extracted. To my surprise in the binary I couldn't find any string - neither URLs, nor any other.

Does it mean my App has been obfuscated or was it encrypted by Apple DRMs?

Regards Chris

like image 753
Chris Rutkowski Avatar asked Jan 04 '11 15:01

Chris Rutkowski


People also ask

Do iOS apps need obfuscation?

Why iOS apps need obfuscation. Mobile app-based cybercrime is ever-evolving, and hackers always find new and better methods to reverse engineer apps to identify weaknesses, secrets and get a hold of sensitive information. Objective-C and Swift are the most common programming languages for iOS apps.

Does Google obfuscate their code?

If you're referring to the code you see when you press "View Page Source" on Google, then yes, the code is obfuscated.

What is obfuscation app?

Obfuscation is a way for Android developers to protect their apps from reverse engineering and tampering attempts by masking their source code and data. Without this level of protection, malicious actors can easily gain an understanding of an app's inner workings.

How do you obfuscate in Objective-C?

Objective-C code cannot be 100% obfuscated. There are some open source and some commercial tools that will obfuscate the class name, the custom methods and variables, but be aware that they can easily break and crash your app.


1 Answers

You can indeed easily find those. But no worries, URL calls are also easily found by monitoring network connections. The trick is to communicate through SSL using POST.

the App Store build you make secures the app somewhat (DRM and what not), but I believe a simple HEX editor can get some stuff back. Reverse engineering is always an option.

I wouldn't worry about finding the URL's, I'd worry about how safe those calls are. People will always be able to find the things you like to hide. The trick is to make it impossible for them to (mis)use it.

like image 64
Jake Avatar answered Sep 21 '22 13:09

Jake