iOS Implementation Code Obfuscation: A Step-by-Step Guide
As iOS developers, we often overlook the importance of code encryption and assume that our apps are secure due to Apple’s robust system. However, this assumption can be misleading, and our code can still be vulnerable to reverse engineering. In this article, we will explore a method to obfuscate our code using a bash script, which will make it more challenging for others to understand and modify our code.
Prerequisites
Before we begin, make sure you have the following tools installed on your system:
class-dumpHoppersqlite3opensslbash
Step 1: Create a New File
Open a terminal and navigate to your project directory. Create a new file named confuse.sh and a text file named func.list using the following commands:
touch confuse.sh
func.list
Step 2: Create CodeConfuse.h and PCH Files
Create a new file named CodeConfuse.h in your project’s Resources directory. This file will serve as a header file for our obfuscated code. Also, create a new PCH (Precompiled Header) file in your project’s Resources directory.
Step 3: Configure PCH
In your project’s PCH file, add the following code to include the CodeConfuse.h header file:
#ifndef PastLook_CodeConfuse_h
#define CodeConfuse_h
// confuse string at `date` "
#include "CodeConfuse.h"
#endif /* CodeConfuse_h */
Step 4: Write the Confuse Script
In the confuse.sh file, add the following code:
#!/usr/bin/env bash
TABLENAME=symbols
SYMBOL_DB_FILE="symbols.db"
LSJDemo="PastLook"
STRING_SYMBOL_FILE="$LSJDemo/Resources/func.list"
CONFUSE_FILE="$LSJDemo/Resources/CodeConfuse.h"
HEAD_FILE="$LSJDemo/Resources/CodeConfuse.h"
export LC_CTYPE=C
# Take .m or .h files ending with a + or - at the beginning of the line
# Remove all + or - sign
# Replace <No. with a space
# Replace symbols beginning with a space with nothing
# Sort and remove duplicates
# Delete blank lines
# Delete lines that start with init
grep -h -r -I "^[-+]" $CONFUSE_FILE --include '*[mh].' | sed "s/[+ -]//g" | sed "s/[() ;, : * \^ \/ \{]//g" | sed "/^[]*IBAction/d" | awk '{split($0, b, " "); print b[2]}' | sort | uniq | sed "/^$/d" | sed -n "/^dt_/p" > $STRING_SYMBOL_FILE
# Facilitate future maintenance of the database for duplication
createTable() {
echo "create table $TABLENAME (src text, des text);" | sqlite3 $SYMBOL_DB_FILE
}
insertValue() {
echo "insert into $TABLENAME values ('$1', '$2');" | sqlite3 $SYMBOL_DB_FILE
}
query() {
echo "select * from $TABLENAME where src = '$1';" | sqlite3 $SYMBOL_DB_FILE
}
ramdomString() {
openssl rand -base64 64 | tr -cd 'a-zA-Z' | head -c 16
}
rm -f $SYMBOL_DB_FILE
rm -f $HEAD_FILE
createTable
touch $HEAD_FILE
# Here to make changes
echo '#ifndef PastLook_CodeConfuse_h
#define CodeConfuse_h'
echo "// confuse string at `date` " >> $HEAD_FILE
cat "$STRING_SYMBOL_FILE" | while read -ra line; do
if [! -z "$line"]; then
ramdom=$(ramdomString)
echo $line $ramdom
insertValue $line $ramdom
echo "#define $line $ramdom" >> $HEAD_FILE
fi
done
echo "#endif" >> $HEAD_FILE
sqlite3 $SYMBOL_DB_FILE .dump
Step 5: Add the Confuse Script to Your Project
Add the confuse.sh path to your project’s build settings.
Step 6: Compile Your Project
Compile your project, and the confuse.sh script will be executed, obfuscating your code.
Note
- When using XIB controls, make sure to use a unique name to avoid conflicts with the obfuscated code.
- Check the
confuse.shscript to ensure that all paths are correct. - This is just a basic method of code obfuscation, and it may not be foolproof.