Hi, I am a newbie at coding and am developing my app idea as I learn. I have some sensitive data that I have hardcoded into my app as a string. I am wondering if, in theory, it is possible for someone to decompile an iOS app and retrieve string data, or is the data made effectively unintelligible in the compiling so that decompiling would just return meaningless gibberish?
Cheers for any answers.
They probably wouldn't need to bother decompiling.
Run "strings" on your executable and grep for your string.
Thanks for your reply. Being a beginner I don't know what grep is, but if strings are so easily extractable from an iOS app (which surprises me considerably) then hardcoding it is extremely insecure, which is a shame.
if strings are so easily extractable from an iOS app
It’s not quite that simple [1] but…
then hardcoding it is extremely insecure
… this is still the right conclusion. Any secret that’s hard coded into your app can be extracted. You can take steps to make that harder, but there’s no completely secure solution. You are effectively trying to create a DRM scheme, and DRM is never 100% effective.
For more thoughts on this, see this post and this one tool.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"[1] If you distribute your iOS app via the App Store the executable parts of your app are encrypted. However, there are ways for Bad People™ to get around that encryption.
I haven’t tried to grep iOS apps, but on Mac apps there are penty of plain text strings. But even if plain txt is not available, hackers are quite good at decompiling and inspecting. If you are thinking about DRM, they don’t need to find your sensitive data. They can just change the code to bypass it. Don’t worry about hackers if you are just beginning. Consider them free advertising.
You might not be thinking about DRM. If you are considering a secret that protects your own data or your own sevices, that is a Very Bad Idea. eskimo mentions that a little in his first link. Instead, create a database that gives users very restricted access to data through some kind of intermediary. For example, don’t store the acount and password to your MySQL database in your app. Build a REST wrapper around your database that serves the data (in JSON or XML) to users who authenticate against your user list. Never provide any opportunity for direct access.
Thanks for that, Eskimo. When my app is ready for distribution the user would load their own data, use it, then discard it, so nothing would be hard-coded. I was wondering for my own purposes because I have an instance of my app running that I make occasional use of. I'll have to look into what possibilities encryption offers so that end-users might have the same luxury if they choose it.
Cheers
Thanks for that. When the time comes I'm going to look into what possibilities encryption offers so that the data could be safely stored and then used on the fly. All beyond me at the moment, but I'm determined to get there :-)