Code obfuscation for mobile applications (Swift Shield for iOS)
iOS app binaries can be decompiled. Hopper Disassembler and IDA Pro recover class names, method names and string constants from Swift/Obj-C symbols in .ipa. If code has hardcoded API endpoint, secret key or purchase verification logic — it's readable without much effort. SwiftShield renames symbols at compile stage, making decompiled code significantly harder to analyze.
What SwiftShield can and cannot do
SwiftShield works at source level: parses .swift files, generates random names for classes, structs, enums, protocols and methods, then runs build with renamed symbols. Result: PaymentVerificationService in disassembler becomes a3kX9mQp, validateReceiptLocally() — f7nW2sLo.
Limitations to know before starting:
- String literals SwiftShield doesn't touch.
"https://api.example.com/secret"stays in binary as is. Protecting strings needs separate approach — encrypting constants at compile time (e.g. viaobfuscate-swiftor custom build script withCryptoKit). - Doesn't work with Objective-C code — Obj-C runtime requires real selector names for
@selector()andrespondsToSelector:. - SwiftUI, CoreData generated code,
@objc-annotated methods — these symbols can't be renamed, must be explicitly excluded. - Xcode 15+ periodically breaks compatibility: SwiftShield depends on
sourcekitdoutput, which changes between Xcode versions.
How it integrates into project
Installation via Mint (recommended, avoids version conflicts):
mint install rockbruno/[email protected]
Basic run:
swiftshield obfuscate \
--project-root /path/to/MyApp \
--automatic-filter
--automatic-filter tries to automatically exclude public API and @objc symbols. In practice this works 80% — remaining 20% must be added to exclusions manually.
Exclusions file swiftshield-ignore.txt:
// Exclude everything that sticks out
AppDelegate
SceneDelegate
// CoreData entities
UserEntity
OrderEntity
// @objc-methods
handleNotification
applicationDidBecomeActive
Typical problem on first run — crash on NSInternalInconsistencyException or unrecognized selector due to method rename called via string literal (NSSelectorFromString("someMethod")). Search via grep -r "NSSelectorFromString\|#selector\|@objc" and add to exclusions.
CI integration: obfuscation runs only for Release config. SwiftShield generates mapping file (swiftshield-output/), which must be stored: without it crash reports from Firebase Crashlytics can't be symbolicated.
# GitHub Actions
- name: Obfuscate (Release only)
if: github.ref == 'refs/heads/main'
run: |
mint run swiftshield obfuscate \
--project-root . \
--automatic-filter
Symbolication of obfuscated crashes — this pain is often ignored. Firebase Crashlytics uploads dSYM file and unwraps stack addresses. But class names in stack are already obfuscated. Need: store SwiftShield mapping + dSYM in one archive with version tag, and apply mapping back when reading crash.
Additional layer: string protection
SwiftShield doesn't touch strings, so for API keys and endpoints use compile-time encryption. Simple variant via GYB or build phase script:
// Encrypted constants generated by script
let apiKey = Obfuscated.reveal([0x4F, 0x7A, 0x2B, 0x91, ...])
For serious protection — swift-crypto (CryptoKit wrapper) or iOS Keychain integration for storing keys obtained from server on first launch.
What protection doesn't guarantee
Obfuscation complicates reverse-engineering, but doesn't make it impossible. Frida connects to process at runtime and intercepts calls regardless of symbol names. SSL unpinning via objection works on jailbroken devices. Obfuscation — one layer of protection, not silver bullet.
Process
Code base audit: determining symbols for exclusions, searching @objc dependencies, Obj-C bridge.
SwiftShield setup: configuration, exclusions file, test run on Debug build to find problems.
CI integration: Release-only pipeline, mapping file storage, symbolication workflow.
Additionally: analysis of string constants, recommendations for secret storage.
Timeline estimates
Basic SwiftShield setup for project without Obj-C — 1 day. If project uses Obj-C code, CoreData generated files, complex @objc dependencies — 2–3 days with full Release build testing.