How to obfuscate Objective C code of Cordova hybrid app?

Question

I have an Ionic v1 / Cordova mobile app and I need to obfuscate all sources. For obfuscation of Javascript I have used https://github.com/javascript-obfuscator/javascript-obfuscator and for Java for Android I have used https://github.com/greybax/cordova-plugin-proguard. As I couldn't find any cordova plugin for obfuscation of Objective C and I decided to use https://github.com/preemptive/PPiOS-Rename.

However, after obfuscation with PPiOS-Rename, there seems to be a problem with obfuscation of cordova plugins and I'm unable to run the app correctly. If I remove the plugins from obfuscation process the app would work but I need to make obfuscated also the code of plugins.

Does anybody have experience with obfuscating the Objective C code of Cordova app please?

Thanks!

Answer 1

The problem that you have is that Cordova relies on a bridge between your app code written in Javascript and the underlying native code in order to function. By obfuscating all of the Objective C code, the Javascript layer is unaware of this, and can no longer find the native class names it is looking for.

For example, let's suppose you have included cordova-plugin-device in your app.

Its <feature> definition for iOS maps the Device feature name to the CDVDevice class.

Let's suppose your Cordova app calls the plugin method device.getInfo(). This in turn invokes a call to cordova.exec() which calls the Device feature with the getDeviceInfo action.

Under the hood, Cordova looks up Device to find the native class name it's mapped to (CDVDevice) and then on the iOS platform it attempts to call the getDeviceInfo() member function on this class.

However, by running the PPiOS-Rename tool, you have obfuscated both the class name (CDVDevice) and the function name (getDeviceInfo()) so Cordova cannot find the class or function to invoke, so will throw an error.

In this case you'd need to exclude the CDVDevice using the filter option provided by PPiOS-Rename, for example:

ppios-rename --analyze -F 'CDVDevice' /path/to/program.app/program

If you wish to proceed with obfuscating the Objective C layer of your Cordova app, you will have to add exclusions for all of the class and function names which Cordova calls explicitly from the Javascript layer. This includes any Cordova plugin interface classes in your project, and possibly classes belonging to the Cordova framework itself (as cordova-plugin-proguard does for ProGuard on Android.