do we need code obfuscation for the app ?

Hi ,


Our internal MAPT(Mobile application penetration test) team suggesting for code obfuscate . is it possible to do reverse engineer the ios source code ?

What language are you programming in?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi ,


We program by objective c

Is it possible to reverse engineer iOS code? Of course it is.

Does code obfuscation help? Not against a motivated reverse engineering effort.


Essentially, what your internal team is saying is just "Code obfuscation would increase the reverse engineering effort above what we feel would be a trivial effort."

Hi ,


Thank you , If yes can you provide me the solutions or reference how to integrate obfuscation for objective c .

> is it possible to do reverse engineer the ios source code ?


Anything is possible - the better question is if it is practical. Lesser effort would be spent simply replicating an app from scratch...reverse engineering would be non-trivial. Apps are compiled and encrypted. Suggest your team familiarize themselves w/ iOS Security before you decide to take additional steps.

So what’s the actual threat model here?

  • Are you trying to hide secrets in your app?

  • Are you concerned about folks using information gleaned from your binary to find security flaws in your product?

  • Are you concerned about folks reverse engineering your source code and using it in their products?

These are very different threats and deserve very different responses.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo ,


We highly concerned about below two points ,


  • Are you trying to hide secrets in your app?
  • Are you concerned about folks using information gleaned from your binary to find security flaws in your product?


Please provide any solution for this .


Thanks in advance .

With regards the first point, my general recommendation is that you not embed secrets in your app. By doing that you are effectively creating a DRM system, that is, you’re giving someone some data (the secret) and trying to restrict how they use that data. It’s impossible to create perfect DRM system, and thus you inevitably get into an arms race with your attackers. It’s better to avoid that if possible.

I’ve talked about this issue before here on DevForums.

With regards your second point, honestly, I think obfuscation in the wrong approach to this. It is, essentially, security through obscurity, and that’s generally frowned upon..

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

There are other reasons for wanting to obfuscate your code. For example someone using bsdiff/bspatch to have your license checking code always return true. From a cybersecurity standpoint your code should always be protected. If an attacker can run strings and find "check license" it makes finding the verification function trivial. Your assertion that this is "security through obscurity" is simplistic at best. In your view is code flattening the same? I would suggest you look at : https://mas.owasp.org/MASTG/iOS/0x06j-Testing-Resiliency-Against-Reverse-Engineering/#frida-detection

do we need code obfuscation for the app ?
 
 
Q