Why iOS apps need obfuscation

Mobile app-based cybercrime is ever-evolving, and hackers always find new and better methods to reverse engineer apps to identify weaknesses, secrets and get a hold of sensitive information.

Objective-C and Swift are the most common programming languages for iOS apps. Both are compiled to machine code, which makes it more difficult to translate the code back to the original source code. This has created a misconception that iOS apps are hard to reverse engineer.

However, the interest in analyzing and understanding machine code is nothing new, and there is a mature technology in place for reverse engineering machine code, based on years of research and expertise in the field. In addition, when Objective-C and Swift are compiled to machine code, there is a lot of metadata in the binary that is required for these languages – which makes it much easier to understand the code than if you would for example use C code.

In other words, iOS apps are not difficult to reverse engineer and analyze, and it is important that you are aware of the threats, and take the necessary steps to prevent them.

Apple encrypts the code of the applications submitted to the App Store and restricts access to the machine code of the apps after download to prevent easy static analysis of the application. A common misconception is that Apple’s own code encryption will be enough to prevent reverse engineering. With different tools for jailbroken devices, decrypted instructions can be dumped from memory, as the device will decrypt the encrypted static binary to execute the app and load it in memory, and reconverted into the original unencrypted application. This means that if an app can be installed on a jailbroken device, Apple’s app encryption will not be enough to prevent reverse engineering or app analysis by a potential malicious actor. 

Code obfuscation has become a standard method for app developers to prevent hackers from easily decompiling and reverse engineering app code. The method scrambles the app’s code to make it hard to read and interpret. By concealing the logic and purpose of the code, it makes it significantly more difficult for an attacker to perform reverse engineering, analyze the code, and retrieve sensitive information.

Advantages of obfuscating your iOS apps

Using obfuscation methods for your iOS apps will make the application hard to reverse engineer, thus ensuring that your product’s intellectual property is protected against security threats, the discovery of application vulnerabilities, and unauthorized access.

When your IOS app’s code is obfuscated, the threshold for an attacker to carry out a reverse engineer-attack is significantly heightened, as it will often be too time-consuming and costly to succeed.

With obfuscation you can:

• Prevent code from being copied and used without permission
• Make your app’s functional logic on the client-side and algorithms less exposed. 
• Make it harder for attackers to find vulnerabilities in your code

Bitcode Obfuscation

Bitcode is the intermediate representation of your source code in the process of compiling it and converting it into machine code. The front end of the compiler will convert the source code into Bitcode. Based on the optimized Bitcode, the compiler back-end generates machine code.

Promon SHIELD™ can work with the embedded Bitcode and apply obfuscation to it. It can then also compile it into binary format.

Obfuscation methods and techniques for iOS

There are different techniques you can use to obfuscate the code of your iOS app, such as control flow obfuscation and string obfuscation.

Control flow obfuscation

When determining the intent of an application, it is important to understand its control flow. Control flow obfuscation is to alter the “logical execution flow” of the application, by controlling the flow of the application dynamic in a different and controlled manner. Obfuscating the control flow is a good way to obfuscate app logic and confuse hackers. By complicating the control flow, by for example control flow flattening (shown in the graphic above), it takes a lot longer to understand where the code is going or why it takes a certain direction. Additional control flow obfuscation can be implemented by using arbitrary and unexpected statements and inserting dead code that would never be executed to hide the true control flow.

String obfuscation

String obfuscation hides string by scrambling them in various ways. It hides and replaces strings with a (for the human eye) innocuous or non-sensical representation of the string. The CPU will be able to de-scramble the string dynamically during execution, while an attacker would make little meaning out of the string from static analysis.

Is obfuscation alone enough?

While obfuscation is an important security measure that will help protect apps against reverse engineering and intellectual property theft, this security measure alone is not enough to fully protect your apps from malware and real-world attack scenarios.

Therefore, complete code protection combined with comprehensive runtime protection is essential to fully protect your iOS apps. Choose a security product that applies advanced and strong obfuscation techniques to your apps in addition to other protection mechanisms. 

In addition to applying strong obfuscation techniques to your iOS apps, our app shielding solution will also monitor your app’s runtime behaviour and detect if your app is executing in an insecure environment. Promon SHIELD™ also detects the presence of code hooks, and blocks injection of malicious code into the app, and enables your app to modify its behaviour in real-time to interrupt potential malware attacks.

Utilizing code obfuscation in combination with a multi-layered In-App Protection solution will make your apps less prone to reverse engineering and intellectual property theft.