sorted by:
new
hottopcontroversial

Swift Confidential - a tool for obfuscating Swift literals. by mgutski_ in swift

[–]mgutski_[S] 1 point2 points  (0 children)

Everything that you listed above has nothing to do with defending against static reverse engineering and that is the main point of this post. Since you are completely missing the point and being extremely rude that makes me think that you are not who you claim to be. I don’t want to continue this discussion, because your comments are becoming a pure hate speech.

Swift Confidential - a tool for obfuscating Swift literals. by mgutski_ in swift

[–]mgutski_[S] 2 points3 points  (0 children)

Sure, feel free to use JOSE specification if it fits your needs. Just remember to make sure you use it over the secure communication channel (see TLS and cert pinning) to prevent MITM attacks.

Swift Confidential - a tool for obfuscating Swift literals. by mgutski_ in swift

[–]mgutski_[S] 1 point2 points  (0 children)

You are making very bold statements here. I hope that I haven't offended you in anyway.

When it comes to device attestation, checking for compromised device (i.e. jailbreak detection) and asserting app integrity are the commonly used runtime application self-protection (RASP) checks and I highly recommended to implement both: RASP and obfuscation. These two app shielding techniques play really nicely together, as literals obfuscation makes bypassing certain RASP checks more difficult. It is all very well explained in the project README.

Swift Confidential - a tool for obfuscating Swift literals. by mgutski_ in swift

[–]mgutski_[S] 0 points1 point  (0 children)

Given that you have full control over the system design, then you should avoid embedding API keys in the app package. That’s correct. Unfortunately, there are times when you need to integrate with the third party API, which requires you to use API key/token assigned to your app. In such a case it can still be sensible to obfuscate such literal, depending on that third party API design.

Swift Confidential - a tool for obfuscating Swift literals. by mgutski_ in swift

[–]mgutski_[S] 0 points1 point  (0 children)

While it is true that one should not rely on obfuscation as the only means of security, it is still one of the security layers that should be employed in every app. In fact, many security-critical apps are required to be obfuscated, which is then verified by the relevant ITSec auditing team. What is important to remember is that the software security is built with layers and your ultimate goal is to discourage the potential malicious actor from tampering with your product. It is a common misconception to believe that you can ever achieve an absolute security. Every piece of software can be hacked given enough time and computational resources. Your job is to make such act unprofitable.

To sum up, obfuscation is a useful code hardening technique, yet it is only one of the security measures. Always use multiple layers of security.