How Appdome Can Encrypt Specific Strings in Your iOS App

Introduction

Appdome is a no-code mobile integration platform as a service (iPaaS), supporting a wide variety of implementations for Android and iOS apps.

This Knowledge Base article explains how anybody can encrypt strings and resources of mobile apps using ONEShield by Appdome.

We hope you find it useful and enjoy using Appdome!

Overview

Developers using Appdome can inform the Appdome AppFusion process which specific strings to encrypt within their Fused iOS app!

Below you will see the steps you can take with Appdome to Encrypt Specific Strings in your iOS Apps.

Usage

Developers can specify strings for Appdome to encrypt in their code, for example:

var billingAddress = Address(
        street1: "1 Infinite Loop",
        street2:"",
        city: "Cupertino",
        state: "CA",
        zip: "95014"
)

When Fusing an app, Appdome will secure strings if the following modifications are made to the app code using SecString(“SecString:…”):

var billingAddress = Address(
        street1: SecString("SecString:1 Infinite Loop"),
        street2: "",
        city: SecString("SecString:Cupertino"),
        state: SecString("SecString:CA"),
        zip: SecString("SecString:95014")
)

The purpose of the prefix

"SecString:"

is to allow the Appdome AppFusion process to locate the strings and encrypt them, while the

SecString()

function envelope makes sure that the string’s contents are available at runtime to the application.

Encryption

Following fusion, the strings’ contents will be completely encrypted in the binary with no way to decipher them.

For example, here we have a credit-card number and CVV we want to encrypt.

var paymentMethod = PaymentMethod(
        creditCardNumber: SecString("SecString:1234-123456-1234"),
        expirationDate: Date(),
        cvv: SecString("SecString:999"))

Before fusion the strings will be in the clear:

000000010003AC50 aSecstring12341 DCB "SecString:1234-123456-1234",0
000000010003AC6B aSecstring999   DCB "SecString:999",0

After fusion, an attacker won’t be able to recognize this as a string:

000000010003AC50 DCB "f",0xB0,0xC7,0x3D,0xF4,0x5E,0x56,0x2C
000000010003AC50 DCB "E",0xA3," ",0x1E,"l0",5,"|"
000000010003AC50 DCB 0xC4,0x41,0xDD,0xEB,0xB,"?",0xE7,0x24,0xE0
000000010003AC50 DCB 0xCD,0x8C,3,0x83,0xB3,"SZ7O"
000000010003AC50 DCB 0xA7,6,0xC8,0xD0,0

Required modifications

It goes without saying that we want the written program to function correctly without it being fused (for testing etc…), therefore we need to add some boilerplate code to the Xcode project so all the syntax with

SecString("SecString:...")

will remain inert.

The following code needs to be added to the Xcode project (preferably in its root folder):

1. OCSecString.m:

   #import <Foundation/Foundation.h>
   @interface OCSecString : NSString
   @property (nonatomic, strong) NSString *stringHolder;
   @end
   
   @implementation OCSecString
   - (instancetype)initWithCharactersNoCopy: (unichar *)characters
     length: (NSUInteger)length
     freeWhenDone: (BOOL)freeBuffer
   {
       self = [super init];
       if (self) {
           if (characters[0] == 'S' &&
               characters[1] == 'e' &&
               characters[2] == 'c' &&
               characters[3] == 'S' &&
               characters[4] == 't' &&
               characters[5] == 'r' &&
               characters[6] == 'i' &&
               characters[7] == 'n' &&
               characters[8] == 'g' &&
               characters[9] == ':') {
               self.stringHolder = [[NSString alloc]
               initWithCharactersNoCopy:characters
               length:length
               freeWhenDone:freeBuffer];
           }
           else
           {
               NSException *ex = [
                   NSException
                   exceptionWithName:@"SecString format error"
                   reason:@"No "SecString:" prefix found"
                   userInfo:nil
               ];
               @throw ex;
           }
       }
       return self;
   }
   
   - (NSUInteger)length
   {
       return self.stringHolder.length - 10;
   }
   
   - (unichar)characterAtIndex:(NSUInteger)index
   {
       return [self.stringHolder characterAtIndex:index + 10];
   }
   @end

2. OSecString.h:

   #ifndef SecString_h
   #define SecString_h
   #import <Foundation/Foundation.h>
   @interface OCSecString : NSString
   @end
   #endif /* SecString_h */

3. <Project-Name>-Bridging-Header.h where <Project-Name> is the name of the project:

   #include "SecString.h"

4. SecString.swift:

   import Foundation
   func SecString(_ s:String) -> String {
       return OCSecString(s) as String
   }
   
   extension OCSecString {
       public convenience init(_ s:String) {
           self.init(string:s)
       }
   }

That’s it, you’re ready to go!

To zoom out on this topic, visit the Mobile App Security page on our website.

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.