Post Protection

XTD Protect for iOS Command Line Tools

When the tool finishes the protection process, you will see a printout of the binaries that have been protected as part of the process. For example:

The following 4 binaries were protected:
   App: Telegram
      Original size: 1.32MB               Protected size: 1.39MB                  Time taken: 1.64s
   Framework: PostboxFramework
      Original size: 6.84MB                       Protected size: 6.98MB                  Time taken: 18.01s
   Framework: MtProtoKitFramework
      Original size: 1.11MB                       Protected size: 1.19MB                  Time taken: 3.4s
   Framework: SwiftSignalKitFramework
      Original size: 585.24KB                     Protected size: 450.50KB                Time taken: 1.53s

The following 2 binaries failed to protect:
   Framework: TelegramUIFramework
      Failed to protect: built using an unsupported Xcode SDK (must be higher than 16.0.0)
   Framework: TelegramCoreFramework
      Failed to protect: the minimum OS deployment target is too low (deployment target must be between 11.0 to 17.5)

The following 3 frameworks were not selected for protection: TelegramCrypto, CameraSDK, Firebase

The following 1 plugin was not selected for protection: telegram-siri

Protected 4 Mach-O files out of 10:
   Protection successful: 4
   Protection failed: 2
   Not selected for protection: 4
        Total time taken: 24.58s

The summary will tell you which targets have been protected successfully, which failed and which ones have not been selected for protection. If a framework or a plugin failed protection, it will be copied as unprotected. If the failure reason is simple, e.g. incompatible SDK version, it will be given as part of the summary. A high count of targets that were not selected for protection is not a problem - it simply means that framework or plugin protection is turned off.

Efficacy report

The efficacy report can be useful in assessing the level of protection applied to the binary. The report is a JSON file containing information about the environment, the target, and the precise configuration of protection that was applied.

To generate an efficacy report, provide the --generate-report flag during protection.

iosdefender --generate-report --config project.config --output-directory out Molecules.xcarchive

At the end of protection, you will find an efficacy report for each target (app, plugin, framework) that was protected in the output directory.

admin@VMX Molecules % ls -ltr out
total 1200
-rw-r--r--@ 1 admin  staff    1052  6 Jun 11:10 Molecules-app-efficacy_report-2024-06-06T11:10:17Z.json
-rw-r--r--@ 1 admin  staff  604080  6 Jun 11:10 Molecules-protected.tar.gz
-rw-r--r--@ 1 admin  staff    1052  6 Jun 11:10 Firebase-framework-efficacy_report-2024-06-06T11:10:17Z.json
-rw-r--r--@ 1 admin  staff    1052  6 Jun 11:10 Firebase-plugin-efficacy_report-2024-06-06T11:10:17Z.json

The filenames are in the form of <target_name>-<target_type>-efficacy_report-<timestamp>.json and contain JSON data:

"file_version": "1.0.0",
"application": {
   "name": "Molecules",
   "version": "1.0/1",
   "package_name": "",
   "main_file_path": "/Users/admin/Molecules.xcarchive/Products/Applications/Molecules.app/Molecules",
   "supported_platforms": [
         "iphoneos"
   ],
   "supported_architectures": [
         "arm64"
   ]
},
"environment": {
   "host_platform": {
         "os": "Darwin",
         "os_version": "14.5",
         "architecture": "arm64"
   },
   "tool": {
         "name": "IOSdefender",
         "version": "6.10"
   },
   "config": {
         "config_file_path": "/Users/admin/project.config"
   },
   "time_stamp": "2024-06-06T11:10:16Z"
},
"protection": {
   "anti_tamper": {
         "enabled": true,
         "superchecks": true,
         "check_network": true,
         "check_density": 0.5
   },
<..>

Signing the protected application

The protected application is not signed since the signature was removed from the submitted archive. The application needs to be re-signed with your valid identity and app entitlements before distribution. Xcode uses the codesign command line tool to sign the application. This tool can be also used to sign the app without Xcode as well.To ensure valid signing a script with code sign command(s) was auto-generated and packaged along with the archive. It is mandatory to use this signing script. The script requires a valid sign identity to be passed in. Open the terminal window, locate sign_archive.sh script and type the following command.It’s important the script is running from the folder where the protected archive is located because the auto-generated script uses relative paths.$ ./sign_archive.sh <identity>where <identity> is your code signing certificate in your keychain. The script can also display a list of identities (private key + certificate) when called without arguments.Example:$ ./sign_archive.sh F10902278BC3BD7640DAAD8DB92294BC535AE825

The list of identities (private key + certificate) can be obtained by typing the following command in the terminal window.$ security find-identity -v -p codesigning

To produce an installable, “.ipa” file add the –export-ipa switch to the command.This will produce an ipa file in the directory output which can be installed to devices or uploaded to the app store.

Example of code signing

Below is an example of code signing of protected Molecules app. The archive was created in /tmp/protected folder.

  1. Locate the archive with unsigned protected app.

    /tmp/protected $ ls
    Molecules-protected.xcarchive
  2. Extract all files from the archive.

    /tmp/protected $ tar xf Molecules-protected.tar.gz
    /tmp/protected $ ls
    Entitlements-Molecules.plist  Molecules-protected.tar.gz    Molecules-protected.xcarchive README-post-protection.txt    sign_archive.sh
  3. Find a suitable identity for code signing.

    /tmp/protected $ security find-identity -v -p codesigning
      1) 57966130A9A949FE5439D064BC63E9156155EBAE "Apple Development: Denis Alyshev (XXXXXXXXXX)"
      2) 126E9F00964AF0495F7C5C939A6C21AC45A73688 "iPhone Developer: Denis Alyshev (XXXXXXXXXX)"
         2 valid identities found
  4. Sign the archive.

    /tmp/protected $ ./sign_archive.sh 126E9F00964AF0495F7C5C939A6C21AC45A73688
    Signing Molecules-protected.xcarchive
    Success.

Extracting IPA file

After signing the protected archive, the application can be exported to IPA format for local distribution. This step is not required if the application is intended for distribution via Apple App Store. The IPA can be created using Xcode Organizer or using Xcode command line tools.

$ xcodebuild -exportArchive -archivePath <archive> -exportOptionsPlist ExportOptions.plist -exportPath <path>

Where:

  • <archive> is the full path to the archive
  • ExportOptions.plist is a plist file with export options
  • <path> is the output folder where the IPA will be placed.

The same version of Xcode IDE must be used for the protection of the archive and IPA export. The active Xcode version and the command line tool version can be checked with the following command lines:

$ xcodebuild -version
Xcode 14.3
Build version 14E222b

$ xcode-select -p
/Applications/Xcode-14.3.app/Contents/Developer