String Encryption
String Encryption is an obfuscation technique used to transform plain text into unreadable text, making it difficult for bad actors to gain insight into a user’s codebase. By encrypting strings, developers can safeguard critical information, deter reverse engineering, and protect sensitive data. String Encryption aligns with best practices recommended by security standards such as the Open Web Application Security Project (OWASP). Adhering to these standards helps ensure the overall security and integrity of iOS applications.
Defender for iOS String Encryption supports string objects in Swift and Objective-C programming languages. Defender for iOS supports XOR encryption and Advanced Encryption Standard (AES) algorithms.
To apply String Encryption obfuscation with Defender for iOS, we have the option of using the command line or config file to configure string encryption.
Command Line
Defender for iOS CLI supports short and long argument names. The short names start with a single dash (-), while long names start with two dashes (--). Some options may only have long names. The following arguments are all optional:
General:
- --disable-string-encryption={value}: Setting the value to ‘true’ will disable string encryption for your project. The default value is false (string encryption is enabled)
- --single-string-as-char={value}: Treat a single character Swift string as a Swift character. The default value is false (single-character Swift strings will be treated as strings.)
Filtering:
- --filter-string-encryption={value}: String encryption filtering for both Objective-C and Swift. Allows filtering out the encryption of specific strings. More info below
--exclude-string-encryption={value}: Exclude specified string values. Strings values which exactly match the exclusions will be skipped by string encryption. By default, this value is an empty set.
Example:
--filter-string-encryption 'ab*, !abl' --exclude-string-encryption 'dabl'
AES Encryption:
- --enable-aes-encryption={value}: Setting the value to true enables AES algorithm to encrypt strings in Swift and Objective-C files. By default, Defender for iOS uses XOR encryption algorithm.
- --aes-encryption-key={value}: If the key is not set, the AES encryption key is randomly generated. If the key value is shorter than the AES algorithm needs, the provided value will be repeated. If the key value is longer than the AES algorithm needs, the provided value will be truncated. The expected length is 256 bits or 32 bytes.
- --aes-encryption-iv={value}: Specify AES encryption initialization vector (IV). If not set, the vector is randomly generated. If the IV value is shorter than the AES algorithm needs, the provided value will be repeated. If the IV value is longer than the AES algorithm needs, the provided value will be truncated. The expected length is 12 bytes.
For more information on AES encryption look here
Config file
Defender for iOS can process a config.yaml (or config.yml) file containing various settings, feature flags, and other options for building your protected iOS application. This file should follow standard YAML specifications for indentation and formatting. The following optional config arguments can be used for configuring String Encryption.
string_encryption:
# Setting the value to 'true' will disable string encryption for your project. The default is 'false'
disabled: true
# Allows filtering out the encryption of specific strings.
filter:
- "!Hello"
- "!World"
# Exclude specified string value. String values which exactly match the exclusions will be skipped by string encryption.
exclude:
- "Swift"
- "Objective-C"
# Setting the value to 'true' enables AES algorithm to encrypt strings in Swift and Objective-C files. The expected length is 256 bits or 32 bytes.
enable_aes_encryption: true
# Use to provide encryption key used by AES algorithm to encrypt or decrypt
aes_encryption_key: bbb098iv
# Use to encryption initialization vector (VI) to enhance security by introducing randomness.The expected length is 12 bytes.
aes_encryption_iv: aaa123key
# Use treat a single/one letter of swift string as Swift Character. By default, it is set to false.
single_string_as_char: {value}
yaml
filter:
- ‘ab*, !abl’