8

What are the best practices to add the extra security in iOS App so Attackers/Hackers can not easily find the Secure Private Keys, Constants strings inside the code.

P.S: I found some other related questions which were answered partially or missing some aspects of this question, so I've added detailed question along with some findings below so anyone can get benefit from this thread later on.

100% Security for any Application not possible but we can try to make the attacking/cracking of iOS App as much harder as possible by implementing more security so that the App can not be cracked/hacked easily.

Following are few data which should be more secure

  • All User Credentials (username, password etc)
  • API Keys, Private Keys, Tokens, WebService URLs/EndPoints etc (Constant/Hardcoded Variables)
  • WebService Requests, Response (Network Layer)

I've already stored all the user credentials on KeyChain,

1. Is there any approach to encrypt the .ipa file so decompiling/reverse engineering of iOS Binary App becomes more harder?

.

2. How to store any Constant HardCoded API Key/Token so even if the App is decompiled/cracked successfully by crackers ; the Constant API keys/Tokens should be difficult to retrieve. (Assume that we have already encoded/encrypted the keys and we we are decoding it every-time before usage)

Following are few findings in my mind at the moment but I'm not sure which approach is better to achieve this or if there is any other standard approach then kindly advice:

  • Store all Hard coded Constants API Keys after encryption/encoding and when it is required it must be decrypted/decoded on demand.
  • Store Confidential Constants Variables as HEX/hashed Values and do not store any plain text in the Constants directly.
  • Obfuscation
  • inside the main(int argc, char * argv[]) add following lines of code to terminate the App if anyone tries to debug it using some Decompiling/Debugging tools. (not sure whether Apple will reject the app because of this or not)

    disable_gdb();

Looking forward for any suggestion or best practices to make iOS App more secure.

5
  • 2
    possible duplicate of stackoverflow.com/questions/9448632/… Dec 15, 2014 at 11:31
  • Have you sent your app to review with the disable_gdb();?
    – Azat
    Apr 18, 2015 at 21:45
  • @Azat. Yes i pushed app to appstore with disable_gdb(); and it was approved.
    – W.S
    Apr 22, 2015 at 14:50
  • @W.S thanks for your answer. Are you able to compile such code now too? I am getting Undefined symbols for architecture x86_64: "_disable_gdb"
    – Azat
    Apr 22, 2015 at 18:34
  • @Azat Yes i'm able to compile the code. May be following link helps you to double check project settings. stackoverflow.com/questions/18408531/…
    – W.S
    Apr 23, 2015 at 5:54

0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.