2

I'm looking to obfuscate a static objective c binary library.

What best practices or tools to people here recommend for that? I'm looking to make it a little harder for potential hackers to identify what certain code in my library does.

Thanks!

Hisham
  • 1,305
  • 2
  • 15
  • 25
  • 1
    Well, I'm sure there are tools out there but fundamentally you shouldn't be relying on obscurity for security. Obfuscation has its place, but it should only be considered a thin first line of defense. Be worried about the attacker that isn't concerned by your attempt. – Robert Dec 09 '10 at 00:23
  • possible duplicate of [Objective-C Code Obfuscation](http://stackoverflow.com/questions/1727327/objective-c-code-obfuscation) – mmmmmm Jan 09 '12 at 11:32

2 Answers2

10

At the top of your header, you could do stuff like:

#define SecurityClass ah7p
#define checkCopyProtection xcyc
JWWalker
  • 22,385
  • 6
  • 55
  • 76
  • Could anyone try to explain this? I can't find anything about this method. I don't want to be rude, but could this simply be a fake, because it ends being unused by the compiler and nothing happens? – Patrik Jan 02 '13 at 18:18
  • It's simple. Human-readable names in your source code are replaced by less-readable symbols during preprocessing, and the compiler proper only sees that latter. But if you have any doubt about what names end up in the binary code, look inside the executable with an editor. – JWWalker Jan 02 '13 at 21:42
  • You're right. I should have done this before stating such a comment. I'm just wondering how on earth you found these two lines? Is there any way I could follow so research this to understand this further? – Patrik May 23 '13 at 18:09
  • I didn't "find" those 2 lines, they were just a made-up example. You would do this with whatever security-related functions and classes you use in your code. – JWWalker May 23 '13 at 21:36
1

Make sure you have your compiler set to strip the linked product. This will make it harder for hackers by removing any labels in the output function. Unfortunately, you cannot completely remove objective-c information from the product. All method calls are done dynamically, so the library has to have information about your classes in order to function. The only way to keep hackers from using this information would be to make sure all of your class, method, and instance variable names give no information about what they are for.

ughoavgfhw
  • 39,734
  • 6
  • 101
  • 123