hide .json files when included in Cocoa Touch Framework

Question

I would like to release a cocoa touch framework including some json files which contain logic I don't want the framwork's user to see; unfortunately inside the .framework file there is still the json visible.

I thought about including it in a swift file:

struct JsonProvider {     static let json = "..." } 

but my json is that large that the file isn't usable any more. I didn't find a solution to command line compile and then include it.

Is there a solution to one of the two problems, i.e.

• hide the json inside the framework or
• precompile a swift file and then add it to the framework?

Answer 1

The answer to this really depends on how secure you need the file to be. Nothing is going to be 100% secure but you can make it more or less difficult for an attacker to gain access.

Option A: Hide the file

Add a '.' at the beginning of the file name, which will hide it from those browsing the directory that don't know about hidden files.

Caveats:

• Anyone with knowledge of hidden files can figure this out.

Option B: Obfuscate

Encode your file, using Base64 or other encoding methods.

Caveats:

• Only deters the lazy/mildly curious. Encodes are easy to defeat.

Option C: Encryption or storing in code

Encrypt the file using a symmetrical algorithm such as AES and store the cipher in code.

Alternatively, remove the json file and create a variable in code with a string that holds the json.

var myJson = """ {  "jsonData": "value" } """ 

Caveats:

• Code can be decompiled to reveal hardcoded strings, but it's difficult. Someone would have to gain access your .ipa file which is protected by Apple's DRM. You could also opt to encode the string, but if someone is already decompiling your code then they can figure out how to defeat obfuscation.

Option D: Don't include the file at all

This is a pretty broad topic outside the scope of your question, but essentially you host your file somewhere. Where and how you do this again depends on how secure you need the data to be. Ideally serving the data over HTTPS and blocking self-signed certificates from being used in your app so that it can't be proxied (ie man in the middle).

URLSession already does a pretty good job of this out of the box, but you could take it even further by using certificate pinning: https://developer.apple.com/news/?id=g9ejcf8y

Essentially you create certificate configurations on your server and bundle the public keys in your app, the connection will be refused unless the pinning requirements are met. Caveat is that you have to update your app whenever your certificates change.