views:

130

answers:

3

I was discussing this with some friends and we began to wonder about this. Could someone gain access to URLs or other values that are contained in the actual objective-c code after they purchase your app?

Our initial feeling was no, but I wondered if anyone out there had definitive knowledge one way or the other?

I do know that .plist files are readily available.

Examples could be things like:

-URL values kept in a string

-API key and secret values

+14  A: 

Yes, strings and information are easily extractable from compiled applications using the strings tool (see here), and it's actually even pretty easy to extract class information using class-dump-x (check here).

Just some food for thought.

Edit: one easy, albeit insecure, way of keeping your secret information hidden is obfuscating it, or cutting it up into small pieces.

The following code:

NSString *string = @"Hello, World!";

will produce "Hello, World!" using the strings tool. Writing your code like this:

NSString *string = @"H";
string = [stringByAppendingString:@"el"];
string = [stringByAppendingString:@"lo"];
...

will show the characters typed, but not necessarily in order.

Again: easy to do, but not very secure.

itaiferber
thanks for the info +1
dredful
even just suggesting security though obscurity should get you a -1. You should tell people that what they are trying to accomplish is a vulnerability. False hopes get people hacked.
Rook
@Rook: Sometimes obscurity is appropriate, e.g. if you're hiding cheat codes in a game, anything more secure would be overkill. ALSO: If that's how you feel, how come you didn't downvote it?
benzado
@Rook, while I definitely think you are allowed to disagree with me, I'm not sure you fully read my post, or considered what I was saying. I made sure to mention that the method was insecure, and got nobody's hopes up. That definitely does not warrant a downvote. And then again, obfuscation might be strong enough, depending on what the obfuscation is used for (as @benzado correctly pointed out).
itaiferber
@itaiferber Yeah but you should ask what he is trying to hide. He might be doing something stupid like hiding a username/password used in an HTTP Auth for a REST service that is exposing nasty functionally. The solution is to write secure REST service, hiding the username/password doesn't do shit when you can just sniff the network.
Rook
@Rook/@itaiferber - Thanks for everyone's participation. I understood the context of @itaiferber's answer. The information I was after was in the first part.
dredful
A: 

What is it you're actually trying to accomplish? Be specific; there may be techniques to accomplish what you want, but they vary depending on your goals.

Jonathan Grynspan
+5  A: 

When you purchase an app it is saved on your hard disk as "FooBar.ipa"; that file is actually in Zip format. You can unzip it and inspect the contents, including searching for strings in the executable. Try it! Constant values in your code are not compressed, encrypted, or scrambled in any way.

benzado
thanks for the info +1
dredful