2

I have an Ionic v1 / Cordova mobile app and I need to obfuscate all sources. For obfuscation of Javascript I have used https://github.com/javascript-obfuscator/javascript-obfuscator and for Java for Android I have used https://github.com/greybax/cordova-plugin-proguard. As I couldn't find any cordova plugin for obfuscation of Objective C and I decided to use https://github.com/preemptive/PPiOS-Rename.

However, after obfuscation with PPiOS-Rename, there seems to be a problem with obfuscation of cordova plugins and I'm unable to run the app correctly. If I remove the plugins from obfuscation process the app would work but I need to make obfuscated also the code of plugins.

Does anybody have experience with obfuscating the Objective C code of Cordova app please?

Thanks!

Alex Filatov
  • 2,232
  • 3
  • 32
  • 39
Richard Guťan
  • 21
  • 3
  • wow.. interesting question. I never found any tool for iOS app (Objective-C) and as per my knowledge, it is not possible. Please see https://stackoverflow.com/questions/5556849/iphone-ipad-app-code-obfuscation-is-it-possible-worth-it – Gagan_iOS Jan 04 '19 at 11:08
  • Thanks @Gagan_iOS, I think for native iOS app the https://github.com/preemptive/PPiOS-Rename is an option but nobody mentioned it in the question you are referring to. I will answer to that topic. My problem is that I can obfuscate some parts of the app but not the plugins which I use and which I need to obfuscate too. – Richard Guťan Jan 04 '19 at 15:09
  • Hey, when you did the analysis part what was the path that you added? Here `ppios-rename --analyze /path/to/program.app/program` what path did you use as adding the path to platforms/ios doesnt work – Peter Haddad Mar 18 '19 at 13:08

1 Answers1

0

The problem that you have is that Cordova relies on a bridge between your app code written in Javascript and the underlying native code in order to function. By obfuscating all of the Objective C code, the Javascript layer is unaware of this, and can no longer find the native class names it is looking for.

For example, let's suppose you have included cordova-plugin-device in your app.

Its <feature> definition for iOS maps the Device feature name to the CDVDevice class.

Let's suppose your Cordova app calls the plugin method device.getInfo(). This in turn invokes a call to cordova.exec() which calls the Device feature with the getDeviceInfo action.

Under the hood, Cordova looks up Device to find the native class name it's mapped to (CDVDevice) and then on the iOS platform it attempts to call the getDeviceInfo() member function on this class.

However, by running the PPiOS-Rename tool, you have obfuscated both the class name (CDVDevice) and the function name (getDeviceInfo()) so Cordova cannot find the class or function to invoke, so will throw an error.

In this case you'd need to exclude the CDVDevice using the filter option provided by PPiOS-Rename, for example:

ppios-rename --analyze -F 'CDVDevice' /path/to/program.app/program

If you wish to proceed with obfuscating the Objective C layer of your Cordova app, you will have to add exclusions for all of the class and function names which Cordova calls explicitly from the Javascript layer. This includes any Cordova plugin interface classes in your project, and possibly classes belonging to the Cordova framework itself (as cordova-plugin-proguard does for ProGuard on Android.

DaveAlden
  • 30,083
  • 11
  • 93
  • 155
  • Thanks @DaveAlden, yeah I've mentioned in my post that if I exclude plugin classes I can get much of the code obfuscated, however I need to obfuscate also the code of plugins. It seems like I would need to use binary obfuscation provided by https://www.appdome.com/ which is a paid option. – Richard Guťan Jan 04 '19 at 14:58