Secure your app by obfuscating all the hard-coded security-sensitive strings.

Overview

App Obfuscator for iOS Apps

Secure your app by obfuscating all the hard-coded security-sensitive strings.

Security Sensitive strings can be:

  • REST API Credentials
  • OAuth Credentials
  • Passwords
  • URLs not intended to be known to the public (i.e. private backend API endpoints)
  • Keys & Secrets

This library hard-codes typical NSStrings as C language strings by obfuscating and then encoding as hexadecimal. When your app needs the original unobfuscated NSStrings, it dynamically decodes it back.

It adds an extra layer of security against prying eyes.

This makes it harder for people with jail-broken iPhones from opening up your app's executable file and then looking for strings embedded in the binary that may appear 'interesting'.

See generally:

This library (v2+) can now be bridged over to Swift.

Installation

CocoaPods

pod 'Obfuscator', '~> 2.0'

Create Globals.h & Globals.m files

This is typically where you store your sensitive strings that you want available globally.

File(top menu)->New->File...

Create a Prefix Header

For XCode 6, you will need to create a pch file from scratch.

  • Add to bottom:
//Now you do not need to include those headers anywhere else in your project.
#import "Globals.h"
#import <Obfuscator/Obfuscator.h>

Usage

Step 1

Let's assume you are using Parse. In order to use their backend services, they will provide you with a client key:

clientKey:@"JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO"

Since the string is hard-coded, it will be baked into the executable binary - easily accessible to unscrupulous prying eyes.

We need to encode it as a global C-String encoded in hexadecimal.

Obfuscator *o = [Obfuscator newWithSalt:[AppDelegate class],[NSString class], nil];  //Use any class(es) within your app that won't stand out to a hacker

[o hexByObfuscatingString:@"JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO"];

This will print out the following code in the XCode Console output (NSLog):

Objective-C Code:
extern const unsigned char *key;
//Original: JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO
const unsigned char _key[] = { 0x7E, 0x23, 0x25, 0xB, 0xB, 0xF, 0x31, 0x9, 0x7B, 0x70, 0x3B, 0x7F, 0x21, 0x35, 0x9, 0x52, 0x6D, 0x21, 0x2C, 0x7F, 0xE, 0x4, 0x43, 0x52, 0x53, 0x54, 0x75, 0x4, 0x5C, 0x27, 0xB, 0x36, 0x3, 0x5B, 0x15, 0x52, 0x60, 0x5E, 0xE, 0x2E, 0x00 };
const unsigned char *key = &_key[0];

Before Deploying your app DELETE OUT ALL REFERENCE TO hexByObfuscatingString: METHOD. It is purely for obtaining the Objective-C code above.

Step 2

Copy the extern const unsigned char *key; from Step 1 into Globals.h.

Copy the const unsigned char *_key[] = ... from Step 1 into Globals.m.

Copy the const unsigned char *key = &_key[0]; from Step 1 into Globals.m.

Remember to change key to something more meaningful such as parseKey.

It may be a good idea to add the original string as comments in Globals.m in case you need to re-encode it again (i.e. Step 4).

Step 3

When your app needs to use the unobfuscated string:

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
	
	Obfuscator *o = [Obfuscator newWithSalt:[AppDelegate class],[NSString class], nil]; //The salt MUST match Step 1
	
	/* INSTEAD OF THIS:
	[Parse setApplicationId:@"TestApp"
              clientKey:@"JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO"];
	 */


	[Parse setApplicationId:@"TestApp"
              	clientKey:[o reveal:parseKey];

	return YES;
}

The Salt used by reveal: method MUST MATCH the salt used in Step 1.

Step 4

THIS STEP IS VERY IMPORTANT

Double check that ALL of your obfuscated strings can be unobfuscated back to the original. If not, then change the salt and try again. If even one string cannot be unofuscated, then that particular string can not be used with this library. The others can.

More Advanced Usage

Step 1 - Generate Objective-C Code

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
	
    [Obfuscator generateCodeWithSalt:@[[NSString class], [AppDelegate class], [NSObject class]]
                         WithStrings:@[
                                       @{@"id": @"AA", @"string":@"testSecret"},
                                       @{@"id": @"BB", @"string":@"testKey"},
                                       @{@"id": @"CC", @"string":@"parseKey1234"},
                                       ]];


	return YES;
}

This will output in Console Log:

Salt used (in this order): [AppDelegate class],[NSObject class],[NSString class],

Objective-C Code:
**********Globals.h**********
extern const unsigned char *AA;
extern const unsigned char *BB;
extern const unsigned char *CC;

**********Globals.m**********
//Original: "testSecret"
const unsigned char _AA[] = { 0x41, 0x51, 0x46, 0x44, 0x62, 0x52, 0x55, 0x44, 0x3, 0x4C, 0x00 };
const unsigned char *AA = &_AA[0];

//Original: "testKey"
const unsigned char _BB[] = { 0x41, 0x51, 0x46, 0x44, 0x7A, 0x52, 0x4F, 0x00 };
const unsigned char *BB = &_BB[0];

//Original: "parseKey1234"
const unsigned char _CC[] = { 0x45, 0x55, 0x47, 0x43, 0x54, 0x7C, 0x53, 0x4F, 0x57, 0xA, 0x56, 0x56, 0x00 };
const unsigned char *CC = &_CC[0];

Copy and Paste the generated code.

NB: The Salt has been rearranged because the original arrangement was not able to obfuscate all 3 strings.

The Algorithm will go through all permutations of Salt to maximize the number of strings it was able to obfuscate. Sometimes it will not succeed completely, so the output will indicate which strings were not obfuscated. For the unobfuscated strings, try a totally different salt OR add more classes to the salt list and try again. The more classes you add, the better chance of obfuscating all strings.

DELETE OUT [Obfuscator generateCodeWithSalt:WithStrings:] for production.

Step 2 - Store Salt in key-value internal database

[Obfuscator storeKey:@"swift" forSalt:[AppDelegate class],[NSObject class],[NSString class], nil];

If your project is written in Objective-C, there are other undocumented ways to proceed after Step 1. However, this is the only way to proceed for a Swift based project. This way will also work in both Swift and Objective-C.

NB: The Salt list applied to storeKey:forSalt: must be ordered according to the output in Step 1. This arrangement may be different to the argument applied to generateCodeWithSalt:WithStrings:.

You can use different keys to identify different salts if you choose to obfuscate multiple strings using different salts.

Step 3 - Dynamically decode obfuscated string when you need to use it.

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
		
	/* INSTEAD OF THIS:
	[Parse setApplicationId:@"TestApp"
              clientKey:@"JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO"];
	 */


	[Parse setApplicationId:@"TestApp"
              	clientKey:[Obfuscator reveal:CC UsingStoredSalt:@"swift"];

	return YES;
}

For swift:

	Obfuscator.reveal(CC, usingStoredSalt: "swift")

Other Useful Packages

Check out "github.com/pjebs/EasySocial" library. The Easiest and Simplest iOS library for Twitter and Facebook. Just Drop in and Use!

Check out "github.com/pjebs/optimus-go" package. Internal ID hashing and Obfuscation using Knuth's Algorithm. (For databases etc)

Credits:

Final Notes

If you found this package useful, please Star it on github. Feel free to fork or provide pull requests. Any bug reports will be warmly received.

PJ Engineering and Business Solutions Pty. Ltd.

Comments
  • Swift use

    Swift use

    Hello. How can i use this with swift?

    Is it generated by:

    let o = Obfuscator.newWithSaltUnsafe()
    o.hexByObfuscatingString("superNEEDEDstring")
    

    ? or how?

    question 
    opened by AgapovOne 8
  • Linker Error when compiling for an iPhone5

    Linker Error when compiling for an iPhone5

    Hi there!

    I'm currently trying to use Obfuscator-iOS in my app project. However, when building on the iPhone 5 simulator, I'm getting the following linker error:

    screen shot 2017-07-13 at 4 17 53 pm
    opened by narner 7
  • Not all classes are acceptable as salt

    Not all classes are acceptable as salt

    Hi,

    While creating a Obfuscator object I came across an issue where not all my classes are obfuscating the key successfully. For example if I use any of the below set of classes as a salt I always get error Could not obfuscate - Use different salt

    Obfuscator *o = [Obfuscator newWithSalt:[NSString class], [NSObject class], [NSString class], nil];
    or
    //Application is a class define in my project
    Obfuscator *o = [Obfuscator newWithSalt:[Application class], [NSString class], nil];
    or 
    //Rename class from Application to Applicatio
    Obfuscator *o = [Obfuscator newWithSalt:[Applicatio class], [NSString class], nil];
    or
    //Rename class from Application to Applicatin
    Obfuscator *o = [Obfuscator newWithSalt: [Applicatin class], [NSObject class], nil];
    or
    //Protection is a class in my application
    Obfuscator *o = [Obfuscator newWithSalt: [Protection class], [NSString class], nil];
    or
    //Protection is a class in my application
    Obfuscator *o = [Obfuscator newWithSalt: [Protection class], [NSObject class], nil];
    

    Whereas below set of classes are acceptable

    // Using NSString and NSObject as salt
    Obfuscator *o = [Obfuscator newWithSalt:[NSString class], [NSObject class], nil];
    or
    Obfuscator *o = [Obfuscator newWithSalt:[NSString class], [NSString class], [NSString class], nil];
    or
    //Rename class from Application to Applicatin
    Obfuscator *o = [Obfuscator newWithSalt:[Applicatin class], [NSString class], nil];
    

    I am not sure if any of the character in class name is causing this issue. If there is any limitation in using the specific characters in class name for salt than let me know.

    opened by msalman 5
  • For guidance, for help

    For guidance, for help

    I found a problem with WeChat-related appkey, hexByObfuscatingString methods, such as "wxaa45ad08facad578", "wxaa45ad08uhtad578", I don't know if there is a way to solve it @pjebs

    opened by flyOfYW 4
  • Fix CocoaPods Build issue

    Fix CocoaPods Build issue

    This fixes the issue building with CocoaPods in issue #2.

    The #include <CommonCrypto/CommonCrypto.h> line needed to be moved from the header file to the implementation file to remove the build error.

    I've tested this in my application and it works as expected.

    opened by AnthonyMDev 3
  • Could not obfuscate Use different salt

    Could not obfuscate Use different salt

    when trying to obfuscate a web address with a hyphen in it, it returns

    2016-06-15 13:27:36.955 Impl.[47263:1595477] Could not obfuscate: http://xxx-xx.xxxxxxxx.xxx/ - Use different salt

    any ideas how i can get around this ?

    works fine with all my other variables which dont have special characters.

    opened by dholdaway 3
  • hexByObfuscatingString fails due to XOR anomaly

    hexByObfuscatingString fails due to XOR anomaly

    I added Obfuscator-iOS to my project via CocoaPods and followed the directions to obfuscate strings. I'm trying to use hexByObfuscatingString: to obfuscate a secret key for GitHub's API, but I keep getting an error that it could not obfuscate my secret key string.

    I walked through the code and I think that the problem is at line number 164 in Obfuscator.m. In the reveal: method, there's this line of code:

    *dataPtr = *dataPtr ^ *keyPtr;
    

    The problem that I am seeing is that both *dataPtr and *keyPtr point to the character '8' at one index. Therefore, '8' XOR '8' is going to be byte 0. Because the code is operating on C strings, this '0' byte is prematurely terminating the obfuscated string and the obfuscated version appears to be truncated.

    enhancement 
    opened by mfcollins3 3
  • Errors: (1) Expected ';' after method prototype and (2) Expected identifier in Obfuscator.h

    Errors: (1) Expected ';' after method prototype and (2) Expected identifier in Obfuscator.h

    Getting errors: (1) Expected ';' after method prototype (2) Expected identifier

    at two method declarations in Obfuscator.h file

    • (instancetype)newWithSalt:(Class)class, ... NS_REQUIRES_NIL_TERMINATION; and
    • (void)storeKey:(NSString *)key forSalt:(Class)class, ... NS_REQUIRES_NIL_TERMINATION;

    Renaming class to some other name fixed the errors.

    opened by askarimov 2
  • Continually getting

    Continually getting "Could not obfuscate [...] Use different salt" error

    Hello,

    Thanks for this project - looks like it's exactly what I need. I added the Obfustcator.h and Obfuscator.m files to my project manually (i.e., not using Cocoapods).

    I'm able to run the example code you had in the README file, and it successfully generates a hex value. When I try to do this with my own strings that I want to obfuscate, I keep getting

    "Could not obfuscate [...] Use different salt" logs.

    I'm on Xcode 8.3.2

    Thanks!

    opened by narner 1
  • Xcode 10.1 warning: Possible misuse of comma operator here

    Xcode 10.1 warning: Possible misuse of comma operator here

    Thank you for this great class.

    While using it in my Xcode 10.1 project, it shows the following warning:

    Obfuscator.m:173:25: Possible misuse of comma operator here

    This is the code:

    // If at end of key data, reset count and
    // set key pointer back to start of key value
    if (++keyIndex == [self.salt length])
        keyIndex = 0, keyPtr = keyData;
    

    I've solved it by splitting the statements over multiple lines within the IF condition:

    // If at end of key data, reset count and
    // set key pointer back to start of key value
    if (++keyIndex == [self.salt length])
    {
        keyIndex = 0;
        keyPtr = keyData;
    }
    
    opened by funnel20 0
  • Bitcode Support

    Bitcode Support

    Hi,

    I am using Obfuscator library in my project. However, I cannot create an Archive for my app because of the following error:

    screen shot 2017-05-25 at 6 11 35 pm

    Are there updates/workaround to address this issue other than disabling bitcode on the target level?

    Thanks, Kenneth

    question 
    opened by kdmandawe 3
  • Error when use with cocoapods.

    Error when use with cocoapods.

    Hi!

    I install it with cocoapods. When i compile my swift project, i have this error :

    Could not build Objective-C module 'Obfuscator'
    

    Have you any idea ?

    opened by imrmaximus 9
Owner
pj
pj
CryptoSwift is a growing collection of standard and secure cryptographic algorithms implemented in Swift

CryptoSwift Crypto related functions and helpers for Swift implemented in Swift. (#PureSwift) Note: The main branch follows the latest currently relea

Marcin Krzyzanowski 9.4k Jan 9, 2023
Simple and secure hashing in Swift with the SipHash algorithm

SipHash ⚠️ WARNING This package has been obsoleted by the Hasher type and the Hashable.hash(into:) requirement introduced in Swift 4.2. Using this pac

null 262 Dec 19, 2022
Demonstration library for using the Secure Enclave on iOS

SecureEnclaveCrypto This project shows you how to create a keypair where as the private key is stored in the secure enclave sign a string / some data

Trail of Bits 272 Jan 7, 2023
A tiny and easy to use Swift class to encrypt strings using HMAC algorithms.

#Sweet HMAC SweetHMAC is a tiny and easy to use Swift class to encrypt strings using HMAC algorithms. A special thanks to jernejstrasner for shared HM

Jan Cássio 37 Jul 27, 2022
Util for generation RSA keys on your client and save to keychain or convert into Data 🔑 🔐

RSASwiftGenerator ?? ?? To run the example project, clone the repo, and run pod install from the Example directory first. Requirements ⚠️ SWIFT 4 XCod

null 21 Apr 30, 2022
Tutanota is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.

Tutanota makes encryption easy Tutanota is the secure email service with built-in end-to-end encryption that enables you to communicate securely with

Tutao GmbH 5k Dec 26, 2022
Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities.

Description Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities. List of vulner

Oversecured Inc 135 Dec 15, 2022
Currency Converter project coded by SwiftUI and Swift5

SwiftUI-Currency-Converter Currency Converter project coded by SwiftUI and Swift5 Features Implemented with SwiftUI Supports darkmode for sure SwiftUI

Alex.Liu 60 Oct 26, 2022
SwiftUI project demonstrating Custom coded confetti animation for checkout page

Confetti-Checkout SwiftUI project demonstrating Custom coded confetti animation for checkout page NOTE: CAEmitterLayer is not used but all the confett

Waseem akram 29 Sep 28, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 30, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 30, 2022
Cybr/Secure - A simple but powerful secure password generator

A simple but powerful secure password generator. You get the option of password length (10 to 20 characters) and whether you include numbers, symbols, uppercase and/or lowercase letters. Simply tap the lock icon to generate a secure password and then tap to copy the password.

Mykel Agathos 1 Feb 16, 2022
JSONHelper - ✌ Convert anything into anything in one operation; JSON data into class instances, hex strings into UIColor/NSColor, y/n strings to booleans, arrays and dictionaries of these; anything you can make sense of!

JSONHelper Convert anything into anything in one operation; hex strings into UIColor/NSColor, JSON strings into class instances, y/n strings to boolea

Baris Sencan 788 Jul 19, 2022
Validate iOS, Android, and Mac localizations. Find errors in .strings, .stringsdict, and strings.xml files.

Locheck An Xcode and Android localization file validator. Make sure your .strings, .stringsdict, and strings.xml files do not have any errors! What do

Asana 73 Dec 13, 2022
The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.

The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data. I have put together

Romain Pouclet 589 Sep 7, 2022
The Swift code generator for your assets, storyboards, Localizable.strings, … — Get rid of all String-based APIs!

SwiftGen SwiftGen is a tool to automatically generate Swift code for resources of your projects (like images, localised strings, etc), to make them ty

null 8.3k Dec 31, 2022
The Swift code generator for your assets, storyboards, Localizable.strings, … — Get rid of all String-based APIs!

SwiftGen SwiftGen is a tool to automatically generate Swift code for resources of your projects (like images, localised strings, etc), to make them ty

null 8.3k Jan 3, 2023
SimpleAuth is designed to do the hard work of social account login on iOS

SimpleAuth is designed to do the hard work of social account login on iOS. It has a small set of public APIs backed by a set of "providers"

Caleb Davenport 1.2k Nov 17, 2022
Profiling / Debugging assist tools for iOS. (Memory Leak, OOM, ANR, Hard Stalling, Network, OpenGL, Time Profile ...)

MTHawkeye Readme 中文版本 MTHawkeye is profiling, debugging tools for iOS used in Meitu. It's designed to help iOS developers improve development producti

meitu 1.4k Dec 29, 2022
iOS platform video hard decoding, support h264, h265

VideoDecoder iOS platform video hard decoding, support h264, h265 Example To run the example project, clone the repo, and run pod install from the Exa

null 21 Sep 8, 2022