What are the best practices to add the extra security in iOS App so Attackers/Hackers can not easily find the Secure Private Keys, Constants strings inside the code.
P.S: I found some other related questions which were answered partially or missing some aspects of this question, so I've added detailed question along with some findings below so anyone can get benefit from this thread later on.
100% Security for any Application not possible but we can try to make the attacking/cracking of iOS App as much harder as possible by implementing more security so that the App can not be cracked/hacked easily.
Following are few data which should be more secure
- All User Credentials (username, password etc)
- API Keys, Private Keys, Tokens, WebService URLs/EndPoints etc (Constant/Hardcoded Variables)
- WebService Requests, Response (Network Layer)
I've already stored all the user credentials on KeyChain,
1. Is there any approach to encrypt the .ipa file so decompiling/reverse engineering of iOS Binary App becomes more harder?
2. How to store any Constant HardCoded API Key/Token so even if the App is decompiled/cracked successfully by crackers ; the Constant API keys/Tokens should be difficult to retrieve. (Assume that we have already encoded/encrypted the keys and we we are decoding it every-time before usage)
Following are few findings in my mind at the moment but I'm not sure which approach is better to achieve this or if there is any other standard approach then kindly advice:
- Store all Hard coded Constants API Keys after encryption/encoding and when it is required it must be decrypted/decoded on demand.
- Store Confidential Constants Variables as HEX/hashed Values and do not store any plain text in the Constants directly.
main(int argc, char * argv)add following lines of code to terminate the App if anyone tries to debug it using some Decompiling/Debugging tools. (not sure whether Apple will reject the app because of this or not)
Looking forward for any suggestion or best practices to make iOS App more secure.