How to Obfuscate iOS Control Flows and Methods

Learn the 3 Easy Steps to Obfuscate iOS Control Flows and Methods. Relocate Control Flows To Obscure the app logic and prevent reverse engineering. No Code, No SDK.

This Knowledge Base article provides step-by-step instructions for using Appdome to add obfuscate the control flow in an iOS app. Control flow relocation is one of the multiple methods you can use to obfuscate mobile apps as a first line of defense against static code analysis. Static code analysis is a type of reverse engineering where attackers try to understand how your app works by analyzing your source code and the app’s logical control flows.

Why is it Important to Obfuscate Control Flows in iOS Apps?   

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well-established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart is several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise and time expected to break the defense.

Appdome’s Flow Relocation is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app.  Appdome’s Flow-Relocation makes reverse engineering an arduous task while preserving the functionality and performance of the original app. Appdome with Flow-Relocation™ is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic, and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Flow-Relocation™ to any mobile app.

Control Flow Relocation in iOS Apps

In iOS, the application’s executable (see the structure of iOS applications) manifests as binary code. To make it un-parsable by reverse engineering tools, Appdome uses several techniques such as polymorphic unconditional branching in place of the original instructions so that the original instructions no longer appear in the application’s binary. This creates an appearance of spaghetti code which is extremely difficult to reverse engineer.

IMPORTANT: The feature is hardware-specific and only applies to ARM64 binaries. This means:

  1. Applications that do not have ARM64 support can not take advantage of Flow Relocation.
    This is in fact a remote use case as since iOS 11 (2017) there is no longer official support for ARMv7, meaning these applications will no longer work on contemporary devices.
  2. Applications with several architectures will be stripped to contain only ARM64. Keeping the other architectures will defeat the purpose of the obfuscation as the attacker can just try and reverse the non-obfuscated architecture’s code.

This feature works very well together with Binary Code Obfuscation to create an iron-clad anti-reversing shield for the application’s binary.

This obfuscation technique provides the following benefits:

  1. Trying to use offline reversing techniques on the application will fail as the “function tree” of the application will appear to be broken.
    For example, if for example, the application had the following functional path: login->verify-username->access-user-db, it will appear as two disconnected paths: login->a and verify-username->b. You will notice that access-user-db is not even referenced.
  2. The database access is highly optimized and performs without causing any slowdown to the application.
  3. Since the database is encrypted, it is protected by Appdome’s Anti-Tampering.
  4. In addition, any attempt to force this information out of the application using run-time methods will be met with Appdome’s Anti-Debugging.

If your application was developed using a non-native framework such as React-Native, Cordova or Xamarin, you might want to check out Non-Native Code Obfuscation.

If, on the other hand, your application has more native code in it, we recommend you check out Binary Code Obfuscation.

We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions.

This enables developers to quickly trace the source of a bug in the app, even when obfuscated.

3 Easy Steps to Add Control Flow Relocation to any iOS App

Please follow these 3 easy steps to implement Flow Relocation in iOS apps. 

  1. Upload an iOS app (.ipa)
  2. Navigate to Build Security > TOTALCode™ Obfuscation Toggle “ON” Flow Relocation 
  3. Click Build My App

Flow.relocation.code.obfuscation.ios

 

Congratulations! Your iOS app is now secured with Appdome Flow Relocation.

Prerequisites for Using Appdome Flow Relocation

In order to use Appdome’s no-code implementation of Flow Relocation on Appdome, you’ll need:

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to secure iOS and Android apps using Control Flow Relocation. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include

 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.

 How to Learn More

Check out the following related KB articles:

How to Obfuscate Non-Native Android & iOS Code and Frameworks

How to add Native Code Obfuscation to any iOS, Android app

How to Encrypt Java Class Files (.dex) in Android Apps

Appdome ONEShield Mobile App Hardening

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

 

Dany Zatuchna

Have a question?

Ask an expert

ScottMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security
Survey