Obfuscate iPhone Password

Question

If I need to obfuscate an iPhone password that is hardcode (Oauth Client Identifier and Client Secret), would this be a way to do it?

NSString *a = @"a";
NSString *b = @"b";
NSString *c = @"c";
NSString *d = @"d";
NSString *e = @"e";
NSString *f = @"f";
NSString *g = @"g";
NSString *h = @"h";
NSString *i = @"i";
/*    hidden     */
NSString *w = @"w";
NSString *x = @"x";
NSString *y = @"y";
NSString *z = @"z";

NSString *pwd = [NSString stringWithFormat:@"%@%@%@%@%@%@%@%@", p,a,s,s,w,o,r,d];

I know obfuscate isn't recommended but after reading this OAuth secrets in mobile apps it seems like the only way.

200_success · Accepted Answer · 2014-04-09T02:13:24.180

2

If you compile with clang -O3, only the letters that are actually used in the password get included in the .o file. You should include some code that pretends to use the rest of the alphabet, such as another call to + stringWithFormat whose results are ignored.

edited Apr 09 '14 at 02:13

answered Apr 09 '14 at 01:51

200_success

7,286
1
43
74

score 1 · Answer 2 · answered Apr 09 '14 at 00:21

You could always encrypt the text in question offline, store the encrypted version in the app, then at the point where you need it, decrypt it. That way it (at least) isn't in plain text in the app. Even your mechanism above will likely produce a pattern in the binary.

Obfuscate iPhone Password

2 Answers2