[SWIFT] Obfuscate security-sensitive strings

Obfuscate security-sensitive strings

When developing a new iOS app, developers usually focus only on the UI/UX and rushing to release it to the AppStore. However, they are forgetting one very important thing called security. In this tutorial, I will show you how to obfuscate security-sensitive strings.

Probably some of you might even think that the IPA file is well secured by itself and no one can do any harm to it. Well, you will be very wrong if you think that, and you should keep reading this…

The attacker just needs a jailbroken iPhone that will connect it to debug mode and then he is enabled to intercept all of your sensitive strings.

Sensitive strings are:

  • REST API Credentials
  • OAuth Credentials
  • Passwords
  • URLs not intended to be known to the public (i.e. private backend API endpoints)
  • Keys & Secrets

Do you really want to expose this kind of information that easy?

The solution

Obfuscator – This library does obfuscation of hard-coded security-sensitive strings, and turns them into byte arrays. In other words, instead of passing the hard-coded strings through the app, you will have to decode a byte array in order to reveal the string. So simple, and it makes impossible for the attackers to get your sensitive information out. Just click the hyperlink at the beginning of this paragraph, add the file in your project and you are ready to start.

Obfuscate security-sensitive strings

1. Define the Salt key:

let o = Obfuscator(withSalt: [AppDelegate.self, NSObject.self, NSString.self])

The Salt key can be any format that you like, but remember that this will be used as a unique value for both encoding and decoding of the string. The best practice is to use a combination of native classes like in the example.

2. Generate the byte array

let bytes = o.bytesByObfuscatingString(string: “555555556ABC”)
print(bytes) /*[110, 97, 80, 70, 65, 122, 87, 83, 67, 50, 33, 34]*/

Here you will get a byte array for the provided string and you should store that value in the class where you keep your constants. When you are done with all the strings, just comment bytesByObfuscatingString, because you won’t need it in anymore (at least not until you add some new sensitive string).

I suggest keeping all the strings in a struct, and also keep the original values commented above the byte arrays for orientation purposes.

struct Constants {
    /*Original 12311456ABC*/
    static let GOOGLE_API_KEY: [UInt8] = [106, 102, 86, 66, 69, 123, 87, 80, 52, 49, 32]

    /*Original 555555556ABC*/
    static let FACEBOOK_API_KEY: [UInt8] = [110, 97, 80, 70, 65, 122, 87, 83, 67, 50, 33, 34]
}

3. Reveal the string

let value = o.reveal(key: Constants.FACEBOOK_API_KEY)
print(value) /*555555556ABC*/

This will return you the original value 555555556ABC and you are safe to use it.

This is an easy to implement security measure and I think it won’t take you more than an hour to finish it. Remember that this way you are protecting your valuable info and your users from various attacks.

I hope that this story has helped you, and if you have any questions please don’t hesitate to comment I will be more than happy to answer them. Also, don’t forget to share and help others. 🙂

Recommended to read: I ❤ Swift [Part 1] – UIViewController & Extensions

Leave a Reply

Your email address will not be published. Required fields are marked *