Mobile Protect - iOS Static Obfuscation

Prerequisites

1. An iOS project with the MobileProtect SDK installed.

2. A copy of the datatheorem-obfuscate tool.

Obfuscation Tool Download

In order to download the tool, you must have your Repo API Key on hand. You will find this API key in the Overview tab of the Active Protection page for Mobile Secure. Press the blue button on the right hand side that reads “Protect Mobile Apps“ and look for the “Keys & Config” section.

Open

There are two options:

1. Direct download from Data Theorem’s portal: Direct Download Link

   1. This link will open a login prompt, enter “1” for the user name and set the password to the contents of the Repo API Key.

2. By cloning the MobileProtect build repository:

   1. Locate the Repo API Key and use it to run the following command:

      git clone https://1:{REPO_API_KEY}@mobile-protect-repos.securetheorem.com/mobileprotect-ios

Move the datatheorem-obfuscate binary to the root of the Xcode project (next to the .xcodeproj or .xcworkspace files).

Add Obfuscation Build Phases to Xcode

Disable ENABLE_USER_SCRIPT_SANDBOXING by setting the variable in Build Settings > Build Options > User Script Sandboxing to NO, so the tool has access to the built files to modify them.

For projects using Cocoapods

For projects that use Cocoapods, add the following line to each target that is defined in the Podfile:

Additionally, add the following to the end of the Podfile:

Example Podfile:

For projects not using Cocoapods

For each target in the project (app/framework), add a Run Script build phase named Data Theorem Static Obfuscation to the Xcode project containing the following:

Configuration

In the project's MobileProtect.plist configuration file, perform the following steps:

1. Add a new key called StaticObfuscation with its type set to Dictionary.

2. Inside this dictionary, insert a child key named Enabled with the type Boolean and set its value to YES.

After making these changes and performing a “clean” of the project, the installation is complete. The application will be statically obfuscated the next time it is compiled.

Optional Configuration

The following configuration keys are supported:

• Enabled: A boolean value. Set to YES to enable static obfuscation.

• ClassExcludeList: Specify a path, relative to the project root, pointing to a file that contains a list of class names. Each class name should be on a separate line. The selectors associated with these classes will be excluded from static obfuscation.

• SelectorExcludeList: A file path, relative to the project root, pointing to a file that contains a list of selector names. Each selector name should be on a separate line. Selectors in this file will be excluded from static obfuscation.

Excluding Selectors From Obfuscation

Projects that refer to selectors directly will need to exclude these selectors from obfuscation, otherwise the app might crash. Selectors are referred to directly:

• When using the @selector(...) syntax.

• When using dynamic class lookup (NSClassFromString(), objc_getClass()).

• When using key-value observation.

A typical crash caused by obfuscation of directly-referenced selectors will look similar to this:

To resolve such a crash, add the class name (SomeClassName) to the class exclusion list (refer to the ClassExcludeList configuration) or add the selector someSelector to the selector exclusion list (refer to the SelectorExcludeList).

Sometimes, the error will mention the obfuscated selector name, e.g.:

In this case, the corresponding (non-obfuscated) selector can be determined from the mapping file.