You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

github.com/pjebs/Obfuscator-iOS

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/pjebs/Obfuscator-iOS

v1.0.1
Source
Go
Version published
Created
Source

App Obfuscator for iOS Apps

Secure your app by obfuscating all the hard-coded security-sensitive strings.

Security Sensitive strings can be:

  • REST API Credentials
  • OAuth Credentials
  • Passwords
  • URLs not intended to be known to the public (i.e. private backend API endpoints)
  • Keys & Secrets

This library hard-codes typical NSStrings as C language strings encoded in hexadecimal. When your app needs the original unobfuscated NSStrings, it dynamically decodes it back.

It adds an extra layer of security against prying eyes.

This makes it harder for people with jail-broken iPhones from opening up your app's executable file and looking for strings embedded in the binary that may appear 'interesting'.

See generally:

  • iOS App Security and Analysis
  • Storing Secret Keys

Installation

CocoaPods

pod 'Obfuscator', '~> 1.0'

Create Globals.h & Globals.m files

This is typically where you store your sensitive strings that you want available globally.

File(top menu)->New->File...

Create a Prefix Header

For XCode 6, you will need to create a pch file from scratch.

  • Add to bottom:
//Now you do not need to include those headers anywhere else in your project.
#import "Globals.h"
#import "Obfuscator.h"

Usage

Step 1

Let's assume you are using Parse. In order to use their backend services, they will provide you with a client key:

clientKey:@"JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO"

Since the string is hard-coded, it will be baked into the executable binary - easily accessible to unscrupulous prying eyes.

We need to encode it as a global C-String encoded in hexadecimal.

Obfuscator *o = [Obfuscator newWithSalt:[AppDelegate class],[NSString class], nil];  //Use any class(es) within your app that won't stand out to a hacker

[o hexByObfuscatingString:@"JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO"];

This will print out the following code in the XCode Console output (NSLog):

Objective-C Code:
extern const unsigned char key[];
//Original: JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO
const unsigned char key[] = { 0x7E, 0x23, 0x25, 0xB, 0xB, 0xF, 0x31, 0x9, 0x7B, 0x70, 0x3B, 0x7F, 0x21, 0x35, 0x9, 0x52, 0x6D, 0x21, 0x2C, 0x7F, 0xE, 0x4, 0x43, 0x52, 0x53, 0x54, 0x75, 0x4, 0x5C, 0x27, 0xB, 0x36, 0x3, 0x5B, 0x15, 0x52, 0x60, 0x5E, 0xE, 0x2E, 0x00 };

Before Deploying your app DELETE OUT ALL REFERENCE TO hexByObfuscatingString: METHOD. It is purely for obtaining the Objective-C code above.

Step 2

Copy the extern const unsigned char parseKey[]; from Step 1 into Globals.h.

Copy the const unsigned char parseKey[] = ... from Step 1 into Globals.m.

Remember to change key[] to something more relevant.

It may be a good idea to add the original string as comments in Globals.m in case you need to re-encode it again (i.e. Step 4).

Step 3

When your app needs to use the unobfuscated string:

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
	
	Obfuscator *o = [Obfuscator newWithSalt:[AppDelegate class],[NSString class], nil]; //The salt MUST match Step 1
	
	/* INSTEAD OF THIS:
	[Parse setApplicationId:@"TestApp"
              clientKey:@"JEG3i8R9LAXIDW0kXGHGjauak0G2mAjPacv1QfkO"];
	 */


	[Parse setApplicationId:@"TestApp"
              	clientKey:[o reveal:parseKey];

	return YES;
}

The Salt used by reveal: method MUST MATCH the salt used in Step 1.

Step 4

THIS STEP IS VERY IMPORTANT

Double check that ALL of your obfuscated strings can be unobfuscated back to the original. If not, then change the salt and try again. If even one string cannot be unofuscated, then that particular string can not be used with this library. The others can.

Other Useful Packages

Check out "github.com/pjebs/EasySocial" library. The Easiest and Simplest iOS library for Twitter and Facebook. Just Drop in and Use!

Check out "github.com/pjebs/optimus-go" package. Internal ID hashing and Obfuscation using Knuth's Algorithm. (For databases etc)

Credits:

Final Notes

If you found this package useful, please Star it on github. Feel free to fork or provide pull requests. Any bug reports will be warmly received.

PJ Engineering and Business Solutions Pty. Ltd.

FAQs

Package last updated on 27 Jun 2015

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape

Research

/

Security News

Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape

A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).

By Jonathan Leitschuh  -  Aug 01, 2025
Introducing Rust Support in Socket

Product

Introducing Rust Support in Socket

Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.

By Trevor Norris  -  Jul 31, 2025