0

I'm encrypting data for an iPhone app using the CommonCrypto libraries. The data is local to the application. The encryption key is hardcoded in the code using an NSString.

I wonder if there is a way to access the value of this NSString from the app executable. I know that the code will be in executable form, but at the end an NSString have to store that value in plain text somewhere in the app. Accessing the app folder using iExplorer for example, will give full access to the executable.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
zago
  • 532
  • 2
  • 10
  • 1
    First off hard coding an encryption key is bad practice and should be avoided if at all possible. If you want the command line program `strings` will _find the printable strings in a object, or other binary, file_ – carloabelli Aug 14 '14 at 22:58
  • @cabellicar123 I tried with strings on the executable and I couldn't find anything. That's why I wondered if there are maybe a different way to do it. – zago Aug 14 '14 at 23:01
  • Generally speaking, yes. If it's stored as a character string literal then that literal can be extracted by someone with the right tools. (At the very least you can obfuscate things by storing the password in several parts that are brought together in a method named "metricBsaFormula".) – Hot Licks Aug 14 '14 at 23:04
  • Do it on a simulator build. The device build is signed and encrypted. Of course hackers can easily unsign/decrypt your binary. – rmaddy Aug 14 '14 at 23:04
  • If this is a banking app, can you tell me the name and when it will be released? ;) – quellish Aug 14 '14 at 23:08
  • If you want you can get easier access (don't have to use iExplorer) by looking under the `Products` folder in Xcode and right clicking and Show In Finder on the .app bundle. – carloabelli Aug 14 '14 at 23:14

1 Answers1

0

Assuming the application was downloaded from the app store onto a device...

  1. Decrypt the binary. This requires a jailbroken device, but it's trivial (there are many, many tools to do this, and tutorials on teh intarwebs)
  2. Move the decrypted binary to a desktop
  3. Run whatever tools you want on it. strings, etc. will all work. IDA Pro or Hopper will disassemble the binary and show not only the C strings in the binary, but the code that accesses it as well.
  4. At this point you have the encryption key that ALL of the users of this application depend on.
  5. ...
  6. Profit!

Pulling the C strings out of a binary is one of the first things any attacker will do. It's not recommended to store sensitive information in the binary, such as encryption keys. Unfortunately, there are not many secure ways to get an encryption key to a client. Assess the risks of different approaches and decide what level of exposure you are comfortable with.

quellish
  • 21,123
  • 4
  • 76
  • 83
  • thanks. The app is a game with questions. Nothing sensitive, but I don't want to see the answers uploaded somewhere to be used to cheat the game. I don't have the resources to run a server to let the users download the key through a "secure" connection. I'll try the tools you mentioned, thanks. – zago Aug 15 '14 at 00:18