In a previous post I listed a line of code that looked like this:
NSString *credentials = [NSString stringWithFormat:@”%c%s%@%c%c%s%@”, ‘u’, “ser:”, @”pas”, ’s’, ‘w’, “ord”, @”@”];
Reader Matt asked me to expand on this in his comment. (Hint: Don’t be afraid to suggest topics for this blog.)
The reason for the curious looking line above is to avoid the whole string to be easily visible in the binary application file. Had I just done this:
NSString *credentials = @"user:password";
it is trivial to search the binary file and find this information in clear text in the file. But by breaking up the string into mixed parts of characters, C strings and Objective-C strings, the content is dispersed in the binary file making it more difficult to find.
Other ways you can obscure strings is to manipulate the string before it’s used. An easy example is to add 1 to each byte in the string so that “HAL” becomes “IBM”. Of course you can make that function as complex as you want.
Keep in mind that security by obscurity is simply hiding information, which is very different from employing encryption using a mathematically proven algorithm. While it may take a long time to find a needle in a haystack, it just requires luck or patience. Whereas cracking a good safe is really difficult. When you think about security for your application you need to decide when a haystack is good enough for the information you’re trying to protect. And when that is the case, feel free to use a variation of the techniques described here.