Open in app

Sign in

Write

Sign in

Increase the security of your iOS app by obfuscating sensitive strings [Swift]

Dejan Atanasov
Swift2Go
Published in
3 min readMay 31, 2017

When developing a new iOS app, developers usually focus only on the UI/UX and rushing to release it to the AppStore. However, they are forgetting one very important thing called security.

Probably some of you might even think that the IPA file is well secured by itself and no one can do any harm to it. Well, you will be very wrong if you think that, and you should keep reading this…

The attacker just needs a jailbroken iPhone that will connect it to debug mode and then he is enabled to intercept all of your sensitive strings.

Sensitive strings are:

  • REST API Credentials
  • OAuth Credentials
  • Passwords
  • URLs not intended to be known to the public (i.e. private backend API endpoints)
  • Keys & Secrets
Do you really want to expose this kind of information that easy?

The solution

Obfuscator - This library does obfuscation of hard-coded security-sensitive strings, and turns them into byte arrays. In other words, instead of passing the hard-coded strings through the app, you will have to decode a byte array in order to reveal the string. So simple, and it makes impossible for the attackers to get your sensitive information out. Just click the hyperlink at the beginning of this paragraph, add the file in your project and you are ready to start.

Usage

import Obfuscator
  1. Define the Salt key:
let o = Obfuscator(withSalt: [AppDelegate.self, NSObject.self, NSString.self])

The Salt key can be any format that you like, but remember that this will be used as a unique value for both encoding and decoding of the string. The best practice is to use a combination of native classes like in the example.

2. Generate the byte array

let bytes = o.bytesByObfuscatingString(string: “555555556ABC”)
print(bytes) /*[110, 97, 80, 70, 65, 122, 87, 83, 67, 50, 33, 34]*/

Here you will get a byte array for the provided string and you should store that value in the class where you keep your constants. When you are done with all the strings, just comment bytesByObfuscatingString, because you won't need it in anymore (at least not until you add some new sensitive string).

I suggest keeping all the strings in a struct, and also keep the original values commented above the byte arrays for orientation purposes.

struct Constants {/*Original 12311456ABC*/
static let GOOGLE_API_KEY: [UInt8] = [106, 102, 86, 66, 69, 123, 87, 80, 52, 49, 32]/*Original 555555556ABC*/
static let FACEBOOK_API_KEY: [UInt8] = [110, 97, 80, 70, 65, 122, 87, 83, 67, 50, 33, 34]}

3. Reveal the string

let value = o.reveal(key: Constants.FACEBOOK_API_KEY)
print(value) /*555555556ABC*/

This will return you the original value 555555556ABC and you are safe to use it.

This is an easy to implement security measure and I think it won't take you more than an hour to finish it. Remember that this way you are protecting your valuable info and your users from various attacks.

I hope that this story has helped you, and if you have any questions please don’t hesitate to comment I will be more than happy to answer them. Also, don’t forget to click the ❤ below and share to help others. :)

Originally written on theappspace.com

IOS
Mobile App Development
Swift 3
Swift
Xcode

--

--

Dejan Atanasov
Swift2Go

Written by Dejan Atanasov

2K Followers
Editor for

Senior iOS & Android Developer | Creator of Swift2Go | @hackernoon writer | Hire Me: http://bit.ly/2XfxbBR

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams