Objective-c obfuscation of methods works in DEBUG but crashes in RELEASE

Question

I made a xcode project where i did some security stuff and they asked me to obfuscate the method names

like so

#define specialMethod a9328238
+(void) specialMethod
{
   // do security stuff
}

i made a .framework library from the project ( project A ) and included it into another project ( project B ).

but when i run (project B) with a Release build configuration it always crashes like so.

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '+[SecurityClass a9328238]: unrecognized selector sent to class 0x337cc4'

so it crashes when it tries to acces the method.

But when i run (project B) it with a Debug build configuration it runs smooth

(i have kept all my build configuration settings as default)

Answer 1

Where have you placed the #define for obfuscation ? Is it in the header file (.h) or in the implementation file (.m) of the framework ?

For the obfuscation to be effective, it must be placed in a file that is both included by the implementation and the caller.

You can also check that the pre-processing is ok by inspecting the pre-processed file. Select the implementation file and go to the menu Product > Generate Output > Generate Preprocessed File (you can select the configuration at the bottom of the screen).

Answer 2

My hunch is the #define location/visibility as well.

But you may want to consider this from another angle. You could change:

#define specialMethod a9328238
+(void) specialMethod
{
   // do security stuff
}

to:

@interface SecurityClass : NSObject

// private obfuscated interface:
+ (void)a9328238;
// {
//    do security stuff in a9328238's definition
// }

@end

// here is the public interface:
static inline void SecurityClass_LogIn() {
   [SecurityClass a9328238];
}

dropping #define altogether.

In use:

SecurityClass_LogIn();
…

Since this is a class method, you could write an obfuscated function wrapped in a human readable inline instead. A well crafted C implementation will be much more difficult to pick apart than objc.

A more complete example would help us narrow down the possibilities.

Also verify there are no warnings -- the compiler may warn you if you have called an undeclared selector. It's possible that the method is called where the #define is not visible in other cases.

Answer 3

It seems that the executable which imports the obfuscated framework tries to access the non-obfuscated methods.

You should check the symbols in the framework. Use nm on the static library in the framework to see the exported symbols (marked with a 't'). Make sure the symbols are obfuscated.