ansaurus

Question

How safe is information contained within iPhone app compiled code?

Answer 1

+14 A:

Yes, strings and information are easily extractable from compiled applications using the strings tool (see here), and it's actually even pretty easy to extract class information using class-dump-x (check here).

Just some food for thought.

Edit: one easy, albeit insecure, way of keeping your secret information hidden is obfuscating it, or cutting it up into small pieces.

The following code:

NSString *string = @"Hello, World!";

will produce "Hello, World!" using the strings tool. Writing your code like this:

NSString *string = @"H";
string = [stringByAppendingString:@"el"];
string = [stringByAppendingString:@"lo"];
...

will show the characters typed, but not necessarily in order.

Again: easy to do, but not very secure.

itaiferber 2010-10-12 23:18:18

thanks for the info +1

dredful 2010-10-13 00:36:29

even just suggesting security though obscurity should get you a -1. You should tell people that what they are trying to accomplish is a vulnerability. False hopes get people hacked.

Rook 2010-10-13 00:38:41

@Rook: Sometimes obscurity is appropriate, e.g. if you're hiding cheat codes in a game, anything more secure would be overkill. ALSO: If that's how you feel, how come you didn't downvote it?

benzado 2010-10-13 01:09:08

@Rook, while I definitely think you are allowed to disagree with me, I'm not sure you fully read my post, or considered what I was saying. I made sure to mention that the method was insecure, and got nobody's hopes up. That definitely does not warrant a downvote. And then again, obfuscation might be strong enough, depending on what the obfuscation is used for (as @benzado correctly pointed out).

itaiferber 2010-10-13 03:41:39

@itaiferber Yeah but you should ask what he is trying to hide. He might be doing something stupid like hiding a username/password used in an HTTP Auth for a REST service that is exposing nasty functionally. The solution is to write secure REST service, hiding the username/password doesn't do shit when you can just sniff the network.

Rook 2010-10-13 04:07:31

@Rook/@itaiferber - Thanks for everyone's participation. I understood the context of @itaiferber's answer. The information I was after was in the first part.

dredful 2010-10-13 16:32:29

Answer 2

A:

What is it you're actually trying to accomplish? Be specific; there may be techniques to accomplish what you want, but they vary depending on your goals.

Jonathan Grynspan 2010-10-12 23:21:50

Answer 3

+5 A:

When you purchase an app it is saved on your hard disk as "FooBar.ipa"; that file is actually in Zip format. You can unzip it and inspect the contents, including searching for strings in the executable. Try it! Constant values in your code are not compressed, encrypted, or scrambled in any way.

benzado 2010-10-12 23:27:33

thanks for the info +1

dredful 2010-10-13 00:05:13

ansaurus

tags:

views:

answers:

How safe is information contained within iPhone app compiled code?

related questions