πŸ”’ Swift Obfuscator that protects iOS apps against reverse engineering attacks.

Related tags

Security swift ios obfuscation objective-c objc sourcekit
Overview

SwiftShield logo

struct fjiovh4894bvic: XbuinvcxoDHFh3fjid {
  let VNfhnfn3219d: Vnahfi5n34djga
  func cxncjnx8fh83FDJSDd() -> Lghbna2gf0gmh3d {
    return vPAOSNdcbif372hFKF(VNfhnfn3219d.Gjanbfpgi3jfg())
  }
}

SwiftShield: Swift Obfuscator

GitHub release

SwiftShield is a tool that generates random and irreversible encrypted names for your iOS project's types and methods (including third-party libraries). It uses Apple's SourceKit to mimick Xcode's indexing behavior, revealing a complete map of your project that is used to safely rename parts of your project.

Reverse engineering iOS apps is relatively simple due to the fact that almost every single type and method name is exposed in the app's binary. This allows jailbreak tools like class-dump and Cycript to extract this information and use it to change the behavior of your app in runtime.

Obfuscating code in iOS difficults the usage of these tools, while also makes it tougher for jailbreak developers to create tweaks for your app as SwiftShield's obfuscation changes every time you run it.

Limitations

The capabilities of SwiftShield are directly related to the capabilities of SourceKit, which unfortunately has its share of bugs. However, although SwiftShield can't obfuscate everything, it can obfuscate just enough to make reverse engineering very hard. Check this document to see its capabilities in detail.

Requirements

  • You should not have logic based on hardcoded names (like loading MyClass.json because String(describing: type(of:self)) is 'MyClass'). SwiftShield does not obfuscate things like file names and hardcoded strings -- only the types themselves.
  • No Objective-C classes that call Swift methods (but Swift classes calling Objective-C code is fine).
  • Your project should be 100% written in View Code. Older versions of SwiftShield did support obfuscating Storyboards/XIBs, but it was extremely hard to maintain. This parts from the principle that if you have a project big or important enough to be obfuscated, you probably shouldn't be using Storyboards in first place.
  • Your project should not be using Xcode's Legacy Build System setting.
  • Make sure your project doesn't suffer from one of SourceKit's bugs. Although the bugs won't prevent the project from being obfuscated, some of them might require you to manually fix the resulting code as it will not be able to compile.

Usage

Check this repo's example project to see it in action! You can run it by executing make swiftshield in your terminal.

Downloading SwiftShield

You can get a SwiftShield binary from the releases page.

Modify scripts that can affect SwiftShield

If your project uses a framework that also modifies your files like SwiftGen, you need to prevent them from running alongside SwiftShield. This can be done by checking for the $SWIFTSHIELDED Xcode variable that is added by SwiftShield after your project is obfuscated.

For example, my SwiftGen Xcode Run Script:

$PODS_ROOT/SwiftGen/bin/swiftgen images --output $SRCROOT/Asset.swift $SRCROOT/Assets.xcassets

...should be changed to:

if [ "$SWIFTSHIELDED" != "true" ]; then
    $PODS_ROOT/SwiftGen/bin/swiftgen images --output $SRCROOT/Asset.swift $SRCROOT/Assets.xcassets
fi

Unlock Sources

If you're using a dependency manager like CocoaPods, you need to make sure that the sources are unlocked. If they aren't, SwiftShield will fail saying that it failed to overwrite the files. To unlock your project, execute:

chmod -R 774 PATHTOPROJECTFOLDER

Running SwiftInfo

USAGE: swiftshield obfuscate --project-file <project-file> --scheme <scheme> [--ignore-public] [--ignore-targets] [--verbose] [--dry-run] [--print-sourcekit]

OPTIONS:
  -p, --project-file <project-file>
                          The path to your app's main .xcodeproj/.xcworkspace
                          file. 
  -s, --scheme <scheme>   The main scheme from the project to build. 
  --ignore-public         Don't obfuscate content that is 'public' or 'open'
                          (a.k.a 'SDK Mode'). 
  -i, --ignore-targets    A list of targets, separated by a comma, that should
                          NOT be obfuscated. 
  -v, --verbose           Prints additional information. 
  -d, --dry-run           Does not actually overwrite the files. 
  --print-sourcekit       Prints SourceKit queries. Note that they are huge, so
                          use this only for bug reports and development! 
  -h, --help              Show help information.

Deobfuscating crash logs

A succesful run of SwiftShield generates a swiftshield-output/conversionMap.txt file that contains all changes made to your project:

//
//  SwiftShield
//  Conversion Map
//  Automatic mode for MyApp 2.0 153, 2018-09-24 10.23.48
//

Data:

ViewController ===> YytSIcFnBAqTAyR
AppDelegate ===> uJXJkhVbwdQGNhh
SuperImportantClassThatShouldBeHidden ===> GDqKGsHjJsWQzdq

Make sure to store this file when you publish a release, as it can be used to deobfuscate crash logs from the app that generated it through SwiftShield's deobfuscate subcommand.

USAGE: swiftshield deobfuscate --crash-file <crash-file> --conversion-map <conversion-map>

OPTIONS:
  -c, --crash-file <crash-file>
                          The path to the crash file. 
  -m, --conversion-map <conversion-map>
                          The path to the previously generated conversion map. 
  -h, --help              Show help information.

SwiftShield logo

Comments
  • Exclude files or code from obfuscation

    Exclude files or code from obfuscation

    In this PR :

    1 - Exclude files from obfuscation using -ignore-files (please not this will only obfuscate the class/struct.. name). 2 - Exclude properties/variables/classes.. that start with a tag using excluded-prefix-tag. 3 - Exclude properties/variables/classes.. that end with a tag using excluded-suffix-tag. 4 - Enable properties obfuscations.

    opened by hadiidbouk 17
  • Ignore names script option

    Ignore names script option

    Problem

    SwiftShield obfuscates the following names:

    • "class names" which are used in storyboard, xibs
    • "CodingKeys" used by models

    Which generates build, runtime errors.

    Solution

    New script option, --ignore-names where you pass the names which should not be obfuscated by SwiftShield.

    example swiftshield obfuscate --project-file YourProduct.xcodeproj --scheme YourProduct --ignore-names IBViewName1,IBViewName2,CodingKeys

    Tested

    • swiftshield 4.0.3 + ignore-names option
    • swiftshield 4.1.1 + ignore-names option
    • Xcode 11

    With version 4.1.1 I have some properties (2-3, not too many) which are not being obfuscated. But the ignore names option it's working.

    opened by andreiChis70 6
  • Exclude public option

    Exclude public option

    Hey, this PR adds support for a new flag -exclude-public. It is a minimal thing. It doesn't support other access flags like internal, but it shows the way and gets the job I need done. Btw the way you get sourcekitd stuff is quite unswifty, check out this code from Apple guys: https://github.com/apple/swift/blob/master/tools/SourceKit/tools/swift-lang/SourceKitdResponse.swift You might just love it ;-)

    opened by vrujbr 6
  • Add support for directories/files names with spaces

    Add support for directories/files names with spaces

    Reason: SourceKit's send_request_sync() fails and returns "error opening input file xxx- No such file or directory", if the folder or file names include escape(\) in front of the space character. Fix: Remove escape(\) character in front of space before processing.

    opened by ptwoms 1
  • Adding the SWIFTSHIELDED property in the build settings in a more resilient way

    Adding the SWIFTSHIELDED property in the build settings in a more resilient way

    The property SWIFTSHIELDED was added to the prj file looking PRODUCT_NAME in some cases this property might not be present in the build settngs and so the project was not flagged as already obfuscated.

    This PR address the issue looking instead directly for the buildSettings string.

    opened by strfn 1
  • Fix obfuscate failed by extracting SwiftFileList file

    Fix obfuscate failed by extracting SwiftFileList file

    This PR wants to fix #64 and make tool compatible with Xcode11. However, I noticed that the Circle.CI seems not worked for this repo. Maybe we need a better way to test these changes on CI.

    opened by ldp940622 1
  • add support for gesture and support for some IBAction func with no param

    add support for gesture and support for some IBAction func with no param

    #55 add support for gesture, i use element.parent?.parent?.name.contains("GestureRecognizer") to detection add support for some IBAction func with no param(manual write function and drag to connect...)

    opened by iOSleep 1
  • Ignore children of public protocols

    Ignore children of public protocols

    I think public protocols' children should also be considered public so as not to get obfuscated in SDK mode. I'm wondering: it's highly unlikely that no one's gone through this problem before me. Am I missing something?

    Cheers, Bruno! πŸš€

    opened by fborges 2
  • support xib and storyboard obfuscation with command line option

    support xib and storyboard obfuscation with command line option

    I added this because my projects use storyboards and xibs and it takes time to update xml files manually after source obfuscation. IB XML obfuscation is added as an option (--include-ibxmls) and is not enabled by default.

    opened by ptwoms 2
  • Public static var/func not identified as public if exported to objc

    Public static var/func not identified as public if exported to objc

    Given a protocol defined as

    @objc public protocol AProtocol {
   static func pubfunction()
   static var pubvariable: Int { get }
}

    SourceKit do not reports the right ACL in the attributes list. The right ACL is resported instead in key.effective_access

    key.entities: [
        {
          key.kind: source.lang.swift.decl.function.method.static,
          key.name: "decision()",
          key.usr: "c:@M@Module@objc(pl)Name(cm)pubfunction",
          key.line: 23,
          key.column: 17,
          key.attributes: [
            {
              key.attribute: source.decl.attribute.objc
            }
          ],
          key.effective_access: source.decl.effective_access.public
        },
......

    This MR try to address this behaviour looking into the effective_access property to identify public entities in SDK mode.

    opened by strfn 3
Releases(4.2.1)
Owner
Bruno Rocha
iOS Developer at Spotify, Writer of https://swiftrocks.com
Bruno Rocha
GitHub https://swiftrocks.com
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers

Frida Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at frida.re. Two ways to install 1. Inst

Frida 11.4k Jan 9, 2023
Sideload iOS apps regardless of security settings

m1-ios-sideloader Sideload iOS apps regardless of security settings Notes Does not support encrypted IPAs at this time - you can grab decrypted IPAs w

Eric Rabil 20 Dec 4, 2022
Convert .deb apps to .ipa files, on iOS, locally

DebtoIPA Convert .deb apps to .ipa files, on iOS, locally Usage Download .deb that contains .app file. You will get an error if you try importing othe

Matthew Anisovich 256 Jan 8, 2023
RSA public/private key encryption, private key signing and public key verification in Swift using the Swift Package Manager. Works on iOS, macOS, and Linux (work in progress).

BlueRSA Swift cross-platform RSA wrapper library for RSA encryption and signing. Works on supported Apple platforms (using Security framework). Linux

Kitura 122 Dec 16, 2022
RSA public/private key encryption, private key signing and public key verification in Swift using the Swift Package Manager. Works on iOS, macOS, and Linux (work in progress).

BlueRSA Swift cross-platform RSA wrapper library for RSA encryption and signing. Works on supported Apple platforms (using Security framework). Linux

Kitura 122 Dec 16, 2022
Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities.

Description Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities. List of vulner

Oversecured Inc 135 Dec 15, 2022
Pass for iOS - an iOS client compatible with Pass command line application.

Pass is an iOS client compatible with ZX2C4's Pass command line application. It is a password manager using GPG for encryption and Git for version control.

Mingshen Sun 1.3k Dec 26, 2022
CCCryptor (AES encryption) wrappers for iOS and Mac in Swift. -- For ObjC, see RNCryptor/RNCryptor-objc

RNCryptor Cross-language AES Encryptor/Decryptor data format. The primary targets are Swift and Objective-C, but implementations are available in C, C

null 3.3k Dec 30, 2022
Simple Swift wrapper for Keychain that works on iOS, watchOS, tvOS and macOS.

KeychainAccess KeychainAccess is a simple Swift wrapper for Keychain that works on iOS and OS X. Makes using Keychain APIs extremely easy and much mor

Kishikawa Katsumi 7.2k Dec 30, 2022
A simple Swift Keychain Wrapper for iOS, watchOS, and OS X.

Latch A simple Swift 2.0 Keychain Wrapper for iOS, watchOS 2, and OS X. Usage A proper example of how to use Latch can be seen in the tests. import La

Danielle 56 Oct 25, 2022
A simple wrapper for the iOS Keychain to allow you to use it in a similar fashion to User Defaults. Written in Swift.

SwiftKeychainWrapper A simple wrapper for the iOS / tvOS Keychain to allow you to use it in a similar fashion to User Defaults. Written in Swift. Prov

Jason 1.5k Dec 30, 2022
Private Password Manager developped with Swift for iOS project.

Private Password Manager developped with Swift for iOS project. This manager can syncronize secret data to Azure Blob Storage. To specify user account, tSecret use Azure Active Directory authentication.

Manabu Tonosaki 0 Dec 3, 2021
Very simple swift wrapper for Biometric Authentication Services (Touch ID) on iOS.

SimpleTouch Very simple swift wrapper for Biometric Authentication Services (Touch ID) on iOS. Sample Project There is a SimpleTouchDemo target define

Simple Machines 117 Nov 15, 2022
An iOS passcode lock with TouchID authentication written in Swift.

PasscodeLock A Swift implementation of passcode lock for iOS with TouchID authentication. Installation PasscodeLock requires Swift 2.0 and Xcode 7 Car

Yanko Dimitrov 679 Nov 26, 2022
An iOS passcode lock with TouchID authentication written in Swift.

PasscodeLock A Swift implementation of passcode lock for iOS with TouchID authentication. Originally created by @yankodimitrov, hope you're doing well

Serge Velikan 203 Dec 6, 2022
Swift-problem-solving - Swift μ•Œκ³ λ¦¬μ¦˜ 맛보기 πŸ˜‹

swift-problem-solving Swift 둜 μ•Œκ³ λ¦¬μ¦˜ 읡히기 ?? Programmers λ‚œμ΄λ„ 풀이 문제 λ°”λ‘œκ°€κΈ° Lv.2 μ˜€ν”ˆμ±„νŒ…λ°© 링크 Lv.3 닀단계 칫솔 판맀 링크 Lv.3 ν•©μŠΉ νƒμ‹œ μš”κΈˆ 링크 Leetcode λ‚œμ΄λ„ 풀이 문제 λ°”λ‘œκ°€κΈ° Medium 1

jegyun 3 Dec 27, 2022
Swift-cuckoo-collections - Cross-platform Swift dictionaries & sets that use a cuckoo hashing algorithm

CuckooCollections A Swift package for open-addressed sets and dictionaries that

Christopher Richez 0 Aug 2, 2022
Safe and easy to use crypto for iOS and macOS

Swift-Sodium Swift-Sodium provides a safe and easy to use interface to perform common cryptographic operations on macOS, iOS, tvOS and watchOS. It lev

Frank Denis 483 Jan 5, 2023
Helper functions for saving text in Keychain securely for iOS, OS X, tvOS and watchOS.

Helper functions for storing text in Keychain for iOS, macOS, tvOS and WatchOS This is a collection of helper functions for saving text and data in th

Evgenii Neumerzhitckii 2.3k Dec 28, 2022