If i share an unsigned XCARCHIVE file with a client, can they see the source code?

Question

If i share an unsigned XCARCHIVE file with a client, can they see the source code? Is it in any way less secure than sending them the IPA file?

Thanks

Answer 1

If you take a look inside an .xcarchive, you'll see that it consists of a "dSYM" directory (which holds the debug symbols for the application), an Info.plist, and a directory containing the application binary. It should be no less secure than sending an IPA.

Answer 2

Distributing a .xcarchive directory is a bad idea if you are worried about reverse engineering.

Specifically a .ipa file typically does not contain the C symbol table.

Any mach-o binary linked against any objc will include segments which describe all of the objc classes, selectors and imp addresses. This is great to have when reversing, but the C symbol table is something that can and should be discarded from your distributed binary.

The .dSYM dir (containing the stripped symbol table) is kept specifically so that stack traces in crash reports can be symbolicated. There is no techinal reason to distribute it.

Indeed, to the reverse-engineer, having the symbol table can be priceless.

If you are worried about someone reverse engineering some of your logic, implement everything with private C functions (all in the same file as far as the compiler is concerned) and distribute a stripped binary only (.ipa not .xcarchive).

Don't use objc any more than you are forced to.

Even then, someone who is good with a decompiler will still figure it all out eventually, but it will be a lot harder.