Security through obscurity for iOS apps.
This package contains both a library and command line tool.
Use the obfuscate command line tool to encrypt your secret token. It generates both a token and a key you can use to reveal the original value.
Include the library in your application to decode the value at runtime.
Inspired by twenty3/Obfuscator, and these articles:
- Secret Management on iOS - NSHipster
- Managing secrets within an iOS app | Lord Codes
- Secure Secrets in iOS app. How do we store our secrets on the… | by Shahrukh Alam | Swift India | Medium
- Protecting Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experience - IEEE Conference Publication
- Swift 5.5+
- Xcode 13.0+
- macOS 11.0+
With Mint
$ mint install salishseasoftware/obfuscateClone the repo then:
$ make installOr using swift itself:
$ swift build -c release
$ cp .build/release/obfuscate /usr/local/bin/obfuscate
Generate the Xcode project:
$ swift package generate-xcodeproj
$ open ./obfuscate.xcodeproj
In Xcode:
- Product > Archive
- Distribute Content
- Built Products
- copy
random-wordexecutable to/usr/local/bin/or wherever you prefer.
OVERVIEW: Security through obscurity
A utility to obfuscate a string using a randomly generated salt, and reveal
the original value using the obfuscates string and the salt.
You can include the obfuscated string in your applications source code and provide the key
through some type of configuration method (ENV, XCConfig file, etc).
Then use the `Obfuscater` library to decrypt the token at runtime when needed.
The important bit is that your original secret should not be present in your source code,
config files, or your SCM system.
It is recommended that your generated key not be checked into your SCM system either.
Keep in mind however that it's likely you will need to include the generated key in your apps bundle,
so it's far form a perfect solution.
USAGE: obfuscate <subcommand>
OPTIONS:
-h, --help Show help information.
SUBCOMMANDS:
encrypt (default) Obfuscates a string.
decrypt Reveals an obfuscated string.
See 'obfuscate help <subcommand>' for detailed help.
OVERVIEW: Obfuscates a string.
Generates a token from the provided string, along with a key that can
be used to decrypt the token, and reveal the original value.
USAGE: obfuscate encrypt <string>
ARGUMENTS:
<string>
OPTIONS:
-h, --help Show help information.
OVERVIEW: Reveals an obfuscated string.
Decrypts the provided token using the key to reveal the original value.
USAGE: obfuscate decrypt --token <token> --key <key>
OPTIONS:
-t, --token <token> The obfuscated string
-k, --key <key> Secret key
-h, --help Show help information.
The Obfuscator library provides just two functions:
encrypt(_:)
Encrypt a string
Parameters
- secret: The secret you want to encrypt. Throws
An error or type ObfuscaterError.encryptionFailure if the encryption fails.
Returns
A (String, String) tuple consisting of the obfuscated string (token) and a randomly generated salt (key) used to perform the encryption.
decrypt(token:,key:)
Reveals the original value of an encrypted string.
Parameters
token:The encrypted string.key:The salt used to encrypt the string.
Throws
An error or type ObfuscaterError.decryptionFailure if the decryption fails.
Returns
The original string.
Add the package as a dependency in your Package.swift file