iOS Question iXGuard - B4i obfuscation

[JackKirk]

I have been doing a bit of googling on the subject of iOS Objective C obfuscation.

There seems to be a tool iXGuard that fits the bill - but would need to be incorporated somewhere in the Hosted Mac Builder stuff (this sentence being an indicator of the limits of my knowledge).

The opening sentence in the iXGuard link above makes sobering reading:

Hackers can use readily available tools to disassemble and inspect your iOS applications and SDKs and gain insight into their internal logic. This opens the way for various forms of abuse, including intellectual property theft, credential harvesting, tampering and cloning.

Who else sees this as a necessity?

How hard would this be to do?

I would appreciate any and all discussion...

 

[LucasHeer]

I spent years reverse engineering to crack software and create video game hacks, and I don't think obfuscation is necessarily required for B4i.

B4i is already so much more secure than Windows .NET applications that run off of CLR, or really any other applications using a runtime.

I may be completely wrong, but B4i/XCode compiles the machine code which is directly executed by iOS.

And from my understanding, it's kind of pointless to obfuscate machine code?

Anyone can dump your executed application and search its memory.

 

[JackKirk]

And from my understanding, it's kind of pointless to obfuscate machine code?

As an experiment earlier today I was able to use 7-zip and the Windows Notepad applet to open the .ipa of my iOS app and bore down to a file called _TEXT_cstring where I was able to find the credentials that the app uses to access AWS.

Admittedly I knew what I was looking for but so would any half intelligent hacker.

No special tools required - this has convinced me that the next release of the app will at least encrypt these credentials with a key that the hacker would not have an easy clue to.

But this probably has limited value if the code can be disassembled and the hacker can work out what has been done.

Obfuscation would hopefully at least confuse and complicate such efforts.

 

[RichardN]

Does not matter if it is Android or iOS.... the is no such thing as 100% security. You can peek into packages of either and learn something of their workings.

How much security is ENOUGH security? Clearly if you are a bank the answer is simple. However a game, a utility or a database front end the answer is completely different AND a matter of differing opinions.

The question I always ask myself is where is the gold? What am I protecting? Usually in my case it is the underlying database in the package which can be encrypted and does not always have to called .db !

There are many ways of frustrating reverse engineers, obfuscation is only one.

 

[LucasHeer]

As an experiment earlier today I was able to use 7-zip and the Windows Notepad applet to open the .ipa of my iOS app and bore down to a file called _TEXT_cstring where I was able to find the credentials that the app uses to access AWS.

Admittedly I knew what I was looking for but so would any half intelligent hacker.

No special tools required - this has convinced me that the next release of the app will at least encrypt these credentials with a key that the hacker would not have an easy clue to.

But this probably has limited value if the code can be disassembled and the hacker can work out what has been done.

You can always create your own decrypt/encrypt function, but I would never store any credentials inside of your app.

You might possibly consider server-generated tokens and an API for any kind of authentication.

 

[JackKirk]

Does not matter if it is Android or iOS.... the is no such thing as 100% security. You can peek into packages of either and learn something of their workings.

How much security is ENOUGH security? Clearly if you are a bank the answer is simple. However a game, a utility or a database front end the answer is completely different AND a matter of differing opinions.

The question I always ask myself is where is the gold? What am I protecting? Usually in my case it is the underlying database in the package which can be encrypted and does not always have to called .db !

There are many ways of frustrating reverse engineers, obfuscation is only one.

I agree entirely with all of these comments and used similar thoughts to construct my app security on the B4A and B4J fronts - including an extremely detailed position paper - complicate/minimize/monitor.

I left B4i to one side on the assumption that it was machine code so....

I am finding that is not a valid assumption - and if an obfuscation capability does/could exist then I would like to have it.

 

[JackKirk]

You might possibly consider server-generated tokens and an API for any kind of authentication.

Yes AWS provides these sorts of capabilities which I looked at but decided against because of the extra complication/documentation/maintenance implications.

You also have the problem that if the code can be disassembled and understood then a hacker can unravel any such efforts.

I am firmly in RichardN's camp - there is no such thing as 100% security - I assume as such and plan accordingly.

But I do want to make the hacker's job as difficult and unfruitful as possible - which is where obfuscation comes in.

 

[Erel]

Code obfuscation is less important in B4i than in B4A and B4J as it is way more complicated to reverse engineer the compiled code.
It is also more difficult to get the IPA itself.

It is possible to add strings obfuscation to B4i, however remember that it will only help against non-skilled hackers.

 

[JackKirk]

Code obfuscation is less important in B4i than in B4A and B4J as it is way more complicated to reverse engineer the compiled code.
It is also more difficult to get the IPA itself.

Up until recently I was happy to accept these as Gospel - but after extensive googling I'm not so sure.

One thing I have found is:

https://www.protectmyapp.com/login

You upload your compiled app (Android of iOS) to their website and get back a "hardened" "secured" version to upload to the App/Play Store.

and a similar product:

https://irdeto.com/trusted-software/

At USD500/month for 2 apps protectmyapp is not cheap - but not outrageous if my apps actually take off as I hope.

Has anyone any experience with these? (probably an academic question as both are less than a year old).

 

[LucasHeer]

Up until recently I was happy to accept these as Gospel - but after extensive googling I'm not so sure.

One thing I have found is:

https://www.protectmyapp.com/login

You upload your compiled app (Android of iOS) to their website and get back a "hardened" "secured" version to upload to the App/Play Store.

and a similar product:

https://irdeto.com/trusted-software/

At USD500/month for 2 apps protectmyapp is not cheap - but not outrageous if my apps actually take off as I hope.

Has anyone any experience with these? (probably an academic question as both are less than a year old).

I doubt those services are going to add a whole lot of protection.

Anything client-sided will always be hackable.

I'd be willing to build you a PHP server-based API for less than what they are charging for their overlay service ?

 

[JackKirk]

It is also more difficult to get the IPA itself.

https://imazing.com/guides/how-to-m...j6cYAJSEw5F2Mt2QprUpbppSGfC1sAl0aAlOPEALw_wcB

 

[JackKirk]

I doubt those services are going to add a whole lot of protection.

I am in the early stages of exploring - will report back if I find anything positive or negative of importance.

Anything client-sided will always be hackable.

I agree - the objective is to complicate.

I'd be willing to build you a PHP server-based API for less than what they are charging for their overlay service ?

Let me see what they actually do first.

 

[JackKirk]

I'd be willing to build you a PHP server-based API for less than what they are charging for their overlay service ?

I'd be interested in your comments on this paper (had to put on my website because it was too large to attach to this post)

http://treetopssmartphoto.com/white-paper-inside-the-mind-of-a-hacker.pdf

which I got from

https://irdeto.com/trusted-software