Obfuscate
Security through obscurity for iOS apps.
Install / Use
/learn @salishseasoftware/ObfuscateREADME
Obfuscate
Security through obscurity for iOS apps.
This package contains both a library and command line tool.
Use the obfuscate command line tool to encrypt your secret token. It generates both a token and a key you can use to reveal the original value.
Include the library in your application to decode the value at runtime.
Inspired by twenty3/Obfuscator, and these articles:
- Secret Management on iOS - NSHipster
- Managing secrets within an iOS app | Lord Codes
- Secure Secrets in iOS app. How do we store our secrets on the… | by Shahrukh Alam | Swift India | Medium
- Protecting Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experience - IEEE Conference Publication
Requirements
- Swift 5.5+
- Xcode 13.0+
- macOS 11.0+
obfuscate - command line tool
Installation
With Mint
$ mint install salishseasoftware/obfuscate
Manually
Clone the repo then:
$ make install
Or using swift itself:
$ swift build -c release
$ cp .build/release/obfuscate /usr/local/bin/obfuscate
With Xcode
Generate the Xcode project:
$ swift package generate-xcodeproj
$ open ./obfuscate.xcodeproj
In Xcode:
- Product > Archive
- Distribute Content
- Built Products
- copy
random-wordexecutable to/usr/local/bin/or wherever you prefer.
Usage
OVERVIEW: Security through obscurity
A utility to obfuscate a string using a randomly generated salt, and reveal
the original value using the obfuscates string and the salt.
You can include the obfuscated string in your applications source code and provide the key
through some type of configuration method (ENV, XCConfig file, etc).
Then use the `Obfuscater` library to decrypt the token at runtime when needed.
The important bit is that your original secret should not be present in your source code,
config files, or your SCM system.
It is recommended that your generated key not be checked into your SCM system either.
Keep in mind however that it's likely you will need to include the generated key in your apps bundle,
so it's far form a perfect solution.
USAGE: obfuscate <subcommand>
OPTIONS:
-h, --help Show help information.
SUBCOMMANDS:
encrypt (default) Obfuscates a string.
decrypt Reveals an obfuscated string.
See 'obfuscate help <subcommand>' for detailed help.
Encrypt
OVERVIEW: Obfuscates a string.
Generates a token from the provided string, along with a key that can
be used to decrypt the token, and reveal the original value.
USAGE: obfuscate encrypt <string>
ARGUMENTS:
<string>
OPTIONS:
-h, --help Show help information.
Decrypt
OVERVIEW: Reveals an obfuscated string.
Decrypts the provided token using the key to reveal the original value.
USAGE: obfuscate decrypt --token <token> --key <key>
OPTIONS:
-t, --token <token> The obfuscated string
-k, --key <key> Secret key
-h, --help Show help information.
Obfuscator Library
The Obfuscator library provides just two functions:
encrypt
encrypt(_:)
Encrypt a string
Parameters
- secret: The secret you want to encrypt. Throws
An error or type ObfuscaterError.encryptionFailure if the encryption fails.
Returns
A (String, String) tuple consisting of the obfuscated string (token) and a randomly generated salt (key) used to perform the encryption.
decrypt
decrypt(token:,key:)
Reveals the original value of an encrypted string.
Parameters
token:The encrypted string.key:The salt used to encrypt the string.
Throws
An error or type ObfuscaterError.decryptionFailure if the decryption fails.
Returns
The original string.
Installation
Add the package as a dependency in your Package.swift file
