I just make an iOs application with my own DRM (The application is for Cydia). I am wondering how I can secure my application from decompilation. I decompiled my app, just to check what the "interested" user can see. I was able to see every string, sensitive strings. Then I decompiled FindMyiPhone and I saw that every string was replaced with "some string from a protected section" Does anyone know protect a string?
Asked
Active
Viewed 658 times
1
David Gölzhäuser
- 3,525
- 8
- 50
- 98
-
You are going with Cydia and you want security? Oxymoronic! – zaph May 31 '14 at 12:48
-
@Zaph I want to make it as secure as possible – David Gölzhäuser May 31 '14 at 12:51
-
Did you look at the ".strings" files in the FindMyiPhone app? I see 400 plain text strings in "en.lproj/Localizable.strings". You do not even need to "decompile", just rename ".app" to ".zip", double click to decompress and look at the files. – zaph May 31 '14 at 13:04
-
The .strings file is for localisations, I dont think that they add the URL for the iCloud API in there. They somehow hided or encrypted the strings in the assembly file. – David Gölzhäuser May 31 '14 at 14:04
-
If you just want to protect a couple simple things like URLs you can use the Keychain. But protecting URLs is hardly worth it, everything being sent can be seen with a network analyzer such as Charles Proxy--even https. – zaph May 31 '14 at 14:11
1 Answers
1
First things first; if someone really wants to crack an app, he/she will find a way to do it. Also Cydia and Jailbreak won't help you much for protecting your app.
You should encrypt the string separately and use this encrypted string in your code. Naturally, the string should be decrypted on the runtime before being used. This is very easy to crack and these are the things you can do to make it harder;
- Set "Deployment Postprocessing" and "Strip Linked Product" flags to YES from the project build settings. This will strip the symbol table and will make it more difficult to acquire the critical variable and method names (and also their addresses).
In addition to the first step, you can use preprocessor directives (especially
#define) to make the compiled code more riddling. For example;#define importantString temp @property (nonatomic, strong) NSString * importantString;- Hiding the contents of the string is more tricky. You should encrypt the string, use only the encrypted string in the code and decrypt it on the runtime when needed. This way your string will be hidden when the app is decompiled and any attacker will have to solve your encryption method. You can use directly AES or find some ideas about how to obfuscate a string in here and here. I would suggest to write your own encryption/decryption functions and use
NS_INLINEfor the decryption function to make the code more complicated when decompiled. - But there is another problem; the string is encrypted in the code, but it will be decrypted on the runtime in some point, even if you wipe the decrypted string just after it's used. Someone can easily debug the code and hook the decrypted string. Luckily, there are some methods to prevent debugging which are described in here.
Still, these are all well-known methods and will only protect the code from curious eyes. For further information, you can look at this tutorial or read Apple documentation or this book.
