Objective-C Framework Protection

I have developed a number of frameworks that I want to ship with my application. I don't want others to be able to use the frameworks, but i've seen utilities such as class-dump which can get the headers back easily.

My question is, how can I make my frameworks more secure? I know that they'll never be 100% secure, but are there some go开发者_StackOverflowod general tips to follow?

Thanks!

In short, don't bother. The very nature of the Objective-C runtime is that there is significant metadata available.

The reality is that it would be exceedingly rare for someone to pick up your framework and try to embed/use it.

Note that code obfuscators don't really work very well; there is still quite a bit of metadata that must be exposed. You can go that route, but -- generally -- it makes debugging/crash analysis significantly more difficult without actually solving a real problem.

I see others have pointed you down the path of obfuscation (though I suspect that the answer of #define someSelector mmmrrrggglll wasn't really tested much).

Some specific points to consider as you go down this path (I'm sure I've missed many):

• if you use KVO/KVC, make sure you obfuscate all those calls to addObserver:* and the like

• if you are targeting Mac OS X, don't forget about Bindings, too!

• Interface Builder's xib files will often contain references to instance variables and/or properties and/or methods. Don't forget about those!

• Anything that uses runtime introspection will need obfuscation, too.

• make sure you don't obfuscate anything that the system frameworks are dependent; wouldn't want to subclass NSView, say, and then obfuscate drawRect: or initWithFrame:.

• In some cases, the Info.plist can refer to class names and entry points. Don't mess with those, either!

• Also, make sure every use of @selector() is also properly obfuscated; nothing like setting up an NSTimer firing against a method that no longer exists.

• Make sure your obfuscation plans also includes the engineering work necessary to create an un-obfuscator for crash logs.

• You'll also want to consider how you are going to debug a production binary; assume your stack traces will be obfuscated. b mmmrrrggglll ftw!

• If your framework has symbol exports control, make sure to obfuscate 'em, too! Keep in mind that the way symbols are created differs between architecture and compiler, in some cases.

You can use static libraries to link with your application instead of frameworks. However, if you want to ship frameworks, you can use code obsfucators to make your library more difficult to use.

EDIT:

This SO post has a pretty simple description of a basic obsfucation.
How can objective C classes be encrypted

There are products on the market that do this, but they are expensive.