Post Protection
XTD Protect for iOS Command Line Tools
When the tool finishes the protection process, you will see a printout of the binaries that have been protected as part of the process. For example:
The following 4 binaries were protected:
App: Telegram
Original size: 1.32MB Protected size: 1.39MB Time taken: 1.64s
Framework: PostboxFramework
Original size: 6.84MB Protected size: 6.98MB Time taken: 18.01s
Framework: MtProtoKitFramework
Original size: 1.11MB Protected size: 1.19MB Time taken: 3.4s
Framework: SwiftSignalKitFramework
Original size: 585.24KB Protected size: 450.50KB Time taken: 1.53s
The following 2 binaries failed to protect:
Framework: TelegramUIFramework
Failed to protect: built using an unsupported Xcode SDK (must be higher than 16.0.0)
Framework: TelegramCoreFramework
Failed to protect: the minimum OS deployment target is too low (deployment target must be between 11.0 to 17.5)
The following 3 frameworks were not selected for protection: TelegramCrypto, CameraSDK, Firebase
The following 1 plugin was not selected for protection: telegram-siri
Protected 4 Mach-O files out of 10:
Protection successful: 4
Protection failed: 2
Not selected for protection: 4
Total time taken: 24.58s
The summary will tell you which targets have been protected successfully, which failed and which ones have not been selected for protection. If a framework or a plugin failed protection, it will be copied as unprotected. If the failure reason is simple, e.g. incompatible SDK version, it will be given as part of the summary. A high count of targets that were not selected for protection is not a problem - it simply means that framework or plugin protection is turned off.
Efficacy report
The efficacy report can be useful in assessing the level of protection applied to the binary. The report is a JSON file containing information about the environment, the target, and the precise configuration of protection that was applied.
To generate an efficacy report, provide the --generate-report
flag during protection.
iosdefender --generate-report --config project.config --output-directory out Molecules.xcarchive
At the end of protection, you will find an efficacy report for each target (app, plugin, framework) that was protected in the output directory.
admin@VMX Molecules % ls -ltr out
total 1200
-rw-r--r--@ 1 admin staff 1052 6 Jun 11:10 Molecules-app-efficacy_report-2024-06-06T11:10:17Z.json
-rw-r--r--@ 1 admin staff 604080 6 Jun 11:10 Molecules-protected.tar.gz
-rw-r--r--@ 1 admin staff 1052 6 Jun 11:10 Firebase-framework-efficacy_report-2024-06-06T11:10:17Z.json
-rw-r--r--@ 1 admin staff 1052 6 Jun 11:10 Firebase-plugin-efficacy_report-2024-06-06T11:10:17Z.json
The filenames are in the form of <target_name>-<target_type>-efficacy_report-<timestamp>.json
and contain JSON data:
"file_version": "1.0.0",
"application": {
"name": "Molecules",
"version": "1.0/1",
"package_name": "",
"main_file_path": "/Users/admin/Molecules.xcarchive/Products/Applications/Molecules.app/Molecules",
"supported_platforms": [
"iphoneos"
],
"supported_architectures": [
"arm64"
]
},
"environment": {
"host_platform": {
"os": "Darwin",
"os_version": "14.5",
"architecture": "arm64"
},
"tool": {
"name": "IOSdefender",
"version": "6.10"
},
"config": {
"config_file_path": "/Users/admin/project.config"
},
"time_stamp": "2024-06-06T11:10:16Z"
},
"protection": {
"anti_tamper": {
"enabled": true,
"superchecks": true,
"check_network": true,
"check_density": 0.5
},
<..>
Signing the protected application
The protected application is not signed since the signature was removed from the submitted archive. The application needs to be re-signed with your valid identity and app entitlements before distribution. Xcode uses the codesign command line tool to sign the application. This tool can be also used to sign the app without Xcode as well.To ensure valid signing a script with code sign command(s) was auto-generated and packaged along with the archive. It is mandatory to use this signing script. The script requires a valid sign identity to be passed in. Open the terminal window, locate sign_archive.sh
script and type the following command.It’s important the script is running from the folder where the protected archive is located because the auto-generated script uses relative paths.$ ./sign_archive.sh <identity>
where <identity>
is your code signing certificate in your keychain. The script can also display a list of identities (private key + certificate) when called without arguments.Example:$ ./sign_archive.sh F10902278BC3BD7640DAAD8DB92294BC535AE825
The list of identities (private key + certificate) can be obtained by typing the following command in the terminal window.$ security find-identity -v -p codesigning
To produce an installable, “.ipa” file add the –export-ipa switch to the command.This will produce an ipa file in the directory output which can be installed to devices or uploaded to the app store.
Example of code signing
Below is an example of code signing of protected Molecules app. The archive was created in /tmp/protected
folder.
-
Locate the archive with unsigned protected app.
/tmp/protected $ ls Molecules-protected.xcarchive
-
Extract all files from the archive.
/tmp/protected $ tar xf Molecules-protected.tar.gz /tmp/protected $ ls Entitlements-Molecules.plist Molecules-protected.tar.gz Molecules-protected.xcarchive README-post-protection.txt sign_archive.sh
-
Find a suitable identity for code signing.
/tmp/protected $ security find-identity -v -p codesigning 1) 57966130A9A949FE5439D064BC63E9156155EBAE "Apple Development: Denis Alyshev (XXXXXXXXXX)" 2) 126E9F00964AF0495F7C5C939A6C21AC45A73688 "iPhone Developer: Denis Alyshev (XXXXXXXXXX)" 2 valid identities found
-
Sign the archive.
/tmp/protected $ ./sign_archive.sh 126E9F00964AF0495F7C5C939A6C21AC45A73688 Signing Molecules-protected.xcarchive Success.
Extracting IPA file
After signing the protected archive, the application can be exported to IPA format for local distribution. This step is not required if the application is intended for distribution via Apple App Store. The IPA can be created using Xcode Organizer or using Xcode command line tools.
$ xcodebuild -exportArchive -archivePath <archive> -exportOptionsPlist ExportOptions.plist -exportPath <path>
Where:
- <archive> is the full path to the archive
- ExportOptions.plist is a plist file with export options
- <path> is the output folder where the IPA will be placed.
The same version of Xcode IDE must be used for the protection of the archive and IPA export. The active Xcode version and the command line tool version can be checked with the following command lines:
$ xcodebuild -version
Xcode 14.3
Build version 14E222b
$ xcode-select -p
/Applications/Xcode-14.3.app/Contents/Developer
Updated about 20 hours ago