Protecting resources in the application bundle?

I'm not an iOS guy, but to the best of my knowledge, Data Protection applies solely to information created and stored by the app (e.g. user documents). Stuff contained within the bundle is not encrypted, but it is signed and compressed. Tell your client to relax—most people don't care about the resources, and very few people will be brazen enough to plagiarize resources from an app. Besides, there's no way to hack another app's resources on a device (due to sandboxing and the lack of a user-level filesystem app like Finder) and the IPA files in which iOS apps are transmitted and backed up are kind of hard (I think) to get into.

If your client is still worried, introduce him to the new on-demand resources feature, introduced in iOS 9. With this feature, no resources will be shipped with the app; they will be downloaded and cached at runtime. That's about the best you can get, short of the ridiculous idea to encrypt everything.

An app - .ipa file, is just a .zip file. Anyone can unpack and snoop around, but they can't get code, just images, movies, audi snippets and the occasional plist or db file.

I'd suggest you unpack an example and see what you can see before going further.

As for DP, see iOS: Understanding data protection - Apple Support& Adding Capabilities - Apple Developer

As KMT noted, there's no protection of resources within a .ipa. It's trivial to pull one apart:

1. download the app using iTunes on the Mac

2. do a Show in Finder

3. make a copy of the .ipa

4. rename it to .zip

5. double click to unpack it

So, you definitely need to talk this issue over with your client.

Whether you actually need to write any code depends on a lot of business factors:

• How important is the resource?

• How likely is it that someone would 'steal' it?

• What protection can you implement?

• How much harder would that make it for the attacker?

• Will your protection system cause compatibility problems down the line?

• and so on

It's important to realise that protecting resources like this is effectively implementing a DRM scheme; once you view things in this way, lots of the trade-offs become much clearer.

Does Data Protection have anything to do with this?

No.

Or is Data Protection only relevant for files that the application writes to its documents directory at runtime?

Correct.

Also, keep in mind that data protection is designed to protect your user's data from other user's (specifically, folks who've stolen their phone). It doesn't protect a user's data from the user, or your data (your app, or the data your app generates) from a user.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I guess I spoke in error when I said I thought .ipa files were hard to get into. Sorry about that.

😊

See, I told you I wasn't an iOS guy!

Thanks for the responses. I want to say that I definitely understand that no data is truly "protected" if it can ultimately be accessed by the app running on the device. My goal here is to prevent something as simple as someone unpacking the app bundle and pulling out a viewable image or video file. So to be clear, I'm looking for tamper proofing, not real data protection.

Let's say I have a video file, and I encrypt it before placing it in the application bundle. In the examples I could find, the app decrypts the encrypted file to a new file in the documents or caches directory and then plays the new file in the video player. Ideally, I'd want to do the decryption on the fly. Currently in my app I'm accessing my video files by creating an NSURL, then an AVURLAsset, then an AVPlayerItem which is passed to the AVPlayer. Given that chain of objects, where is the best place to insert my decryption code? And would decrypting the file this way cause any loss of functionality in the AVPlayer (for example, would I still be able to seek the video to an arbitrary position)?

Also, what's the best way to do the encryption and decryption? I'm assuming iOS has some framework or API or something to help with this, rather than my having to write a lot of code from scratch.

Thanks.

You can extract from zip files in the bundle on the fly...perhaps that will slow down the curious when configured properly.

Just remember that the more you want to protect it, the more work you'll have to do, so at some point you risk a counter-productive scheme that still won't stop the determined. And whatever that amounts to, I wouldn't discuss here in public 😉

Listen to Eskimo on this.

Just in case you are still looking for common crypto functions, then following may be helpful for you -

https://developer.apple.com/library/mac/samplecode/CryptoCompatibility/Introduction/Intro.html#//apple_ref/doc/uid/DTS40013654-Intro-DontLinkElementID_2

I only know two ways of doing this

1. Hide the file

2. Do it in code

Code Block html
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
</head>
<body>
<h1>This is a Heading</h1>
<p>This is a paragraph.</p>
</body>
</html>

Code Block swift
var htmlstring = """
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
</head>
<body>
<h1>This is a Heading</h1>
<p>This is a paragraph.</p>
</body>
</html>
"""

Apple's documentation has a pretty good example for encrypting and decrypting files. I also know some iOS developers who use have used MoonEncrypt with varying success to encrypt their bundled resource files. Then they're decrypted at runtime inside the app. It should deter most from getting to your sensitive data.