This is a project for utility library and tools for resource and data encryption on iOS. It basically obfuscates resources using a XOR or AES256 function with a key provided in the binary, drawing resources unreadable for a regular users or modarate attackers.
The project contains a simple tool written in Java that can be used to encrypt or decrypt files using XOR algorithm, as such:
$ java -jar crypted-resource-java-tool.jar gen 16
ffa17e84f481201844724a4e1c1b981e
$ java -jar crypted-resource-java-tool.jar xor input.png output.cri ffa17e84f481201844724a4e1c1b981e
The command above stores the crypted version of input.png to the file
output.cri, using ffa17e84f481201844724a4e1c1b981e as the key
for encryption.
Also, there is a sample iOS project that demonstrates the use of the client side library.
All library files are under Lib/CryptedResources group in the project. To
use the library, just drag and drop the Lib/CryptedResources group to your
project.
Then, you need to visit CryptedConstants.h file and put the generated
key there:
#define DEFAULT_KEY @"ffa17e84f481201844724a4e1c1b981e"
From this moment on, you are able to call the specific methods on UIImage,
NSString and NSData, for example:
#import "CryptedResources.h"
// ...
self.image = [UIImage cryptedImageNamed:@"output.cri"];
self.text = [NSString stringWithContentsOfCryptedFile:@"crypted_text.crs"
encoding:NSUTF8StringEncoding];
self.data = [NSData cryptedDataWithData:originalData];
Alternatively, you can provide an individual key (in hexadecimal string format, or as a raw NSData object) for each of the resources, for example as such:
self.data = [NSData cryptedDataWithData:originalData hexKey:@"1234567890abcdef"];
This may come handy in case you need to obfuscate the key itself in the binary.
See the header files for more detailed information on what methods are available.
This software is shared under the IHL ("Inmite Happiness License"), which is derived from MIT license completely, except for you have to follow @inmite if you are happy using the software of matter.
- AES256 data encryption
- random key obfuscation generator
Why do I need to encrypt bundle resources in the mobile app?
There might be several reasons for resource encryption. The first one is preventing someone with moderate skills from stealing them from your application. Designing icons and app graphics is hard - stealing them is unfair.
There are also more advanced reasons for resource encryption. If you write an application which uses an image wizard as an introduction, replacing image might instruct a user to perform an incorrect task (such as call a malicious number). These types of attacks play role in application with high security concerns, such as mobile banking or insurance apps.
Is this really secure? Is there no way attacker steals the data?
Well first, security is a subject of threads and their impacts. Basically, since all the cryptography happens on the device, hacker will winn, in the end. Unless you store the key in some smarter manner on the device (or even on the server), of course.
The mechanism in it's basic form will prevent someone who is able to Jailbreak the device and use tools such as iExplorer to steal or modify your resources. And it can buy you some time...