Hi
Is it possible for an app in the AppStore to be decompiled and sensitive code to be seen and 'readable'. I am not trying to doing this (obviously), I understand it can be very easy on other platforms.
If so, what techniques would be advised to protect against this?
Thanks
I do not believe it can be de compiled. But calls to methods can be identified and modified. Also, blocks of code already known to a hacker can be located within the compiled code and modified. Also certain string variables can be located like 'IAP was purchased'.
Yes, it's certainly possible to decompile an app from the App Store.
> If so, what techniques would be advised to protect against this?
You can't. Sure you can obfuscate your method names, create unwieldy code constructs that are painful to decompile, and so on. But all you're doing is raising the level of skill and dedication required to reverse engineer your app. And there will always be someone out there who can reverse engineer your app, regardless of how hard you try to prevent them from doing so. It's just a matter of whether your app looks like an appealing target.
The questions you should be asking yourself are
a) What would I not want someone to find if they do reverse engineer my app
b) Can I move <insert answer from (a)> somewhere else (such as a server)
c) What is my mitigation strategy of someone gets a hold of <insert answer from (a)>?
Anything can be broken into and reverse engineered. It's just a matter of making who ever wants to do that expend more of energy. I believe obfuscating your code will make it more difficult for anyone to reverse engineer your code.
Not to start a Google versus Apple fight here but Android Studio offers code obfuscation from within their IDE. It would be nice if XCode provided this. We are about to deploy our software to the Apple Store and we are also looking to obfuscate the code. IMO - it's a no brainer. Why wouldn't you want to make it more difficult for people to reverse engineer your hard work? Let them work harder at stealing your code.
Decompiling is generally considered to be so difficult as to not be worth the trouble when anyone with those skills can just re-create from scratch.
But remember that an app (.ipa) is just a .zip file, and once unpacked, anyone can grab certain assets such as images, plists and databases...and those may be where the real time saved exists. And you can't prohibit anyone from unpacking your app from the store.
While it cannot be decompiled into any usable form, it can certainly be decompiled to opcodes
meaning a dedicated hacker could work around any limitations you may place in your code.
If your concern is someone discovering your algorithm for your cool new thing, patent it. It
won't prevent it from being discovered but, will provide you legal grounds to go after anyone
who might "steal" your work.
Frankly, in most cases, neither obfuscation nor patenting your code are worth the time nor
expense in the long run. Your app will never earn enough to pay for the filing/search/legal
fees of full patent protection and the possible bugs you'll introduce unintentionally through
obfuscation will make maintaining your code much more difficult than any potential loss
would warrant. Also, consider Bit-Code. Obfuscation could potentially break Bit-Code
in that changes to Apple's methods of recompiling your submitted apps may result in
useless binaries and as a result, lots of negative reviews of your apps.
Above all, consider the fact that, even "decompiled" the hacker never sees your actual
code, only a representation of that code. The finer points are lost completely. They can
see for example what it does but not how or even why.
