New Data Security Tool Can Obfuscate Native iOS Code

For developers, data security should be a top concern. That security consciousness can start with the code itself.

With that in mind, Polidea has released its Project Sirius to the open-source community. Sirius is a tool that obfuscates iOS code, rendering it impossible for a third-party to tear the code down. It was designed to work with Swift, and the team says it’s compatible with Xcode 9.2 and Swift 4.0.

The company says the idea for Sirius came from its project with a large Polish bank. It discovered an Android obfuscation tool, as well as similar ones for Objective-C, but none for Swift. So it wrote its own.

At its core, Sirius is a symbol-renaming tool. Though Swift doesn’t inherently use the Objective-C runtime all the time, Polidea notes it probably does for larger projects that have legacy code or Objective-C callbacks. From its post announcing Sirius:

When developing in Objective-C, code obfuscation by symbol renaming is particularly important. The reason is that all the symbols must be stored in the binary and visible to the runtime so that they can be referenced by strings. This is what allows the message passing using selectors or checking the protocol conformance by the protocol’s name. Although Swift doesn’t use the Objective-C runtime by default and the compiler strips the symbols and applies the optimizations that are making it harder for the attacker to read decompiled app, the obfuscation might come in handy. Every time we derive from the NSObject or use the @objc attribute, we voluntarily participate in the Objective-C runtime and we must obey its rules. Therefore, the symbols are not striped [sic].

Sirius won’t encode everything; Function and Classes, for instance, are left alone. A hacker would still be able to see how your code is structured; they just wouldn’t have access to the code you wrote, or your naming scheme for those Classes and Functions.

It’s similar to data security tool ProGuard for Android, which “shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names.” Though Google’s tooling is a bit more feature-rich, the same obfuscation technique is now available for both major mobile platforms, natively.

This obviously isn’t for everyone. Independent developers and freelancers likely won’t want (or need) to obfuscate code. But larger firms should be concerned with data security in a time when trust is critical, and we always encourage a native approach when possible. Sirius is just that, and its open-source nature means you could tweak it to suit your needs.


One Response to “New Data Security Tool Can Obfuscate Native iOS Code”