iOS App Shield

Introduction

Quixxi Security is usable by enterprises and mobile app developers to secure their mobile apps from piracy, revenue loss, IP theft, loss of user data , hacking and cracking. Quixxi Security ensures your application is fully protected with our multi-layered encryption engine that prevents your application from being reverse engineered and tampered with

Steps to apply Quixxi Security to iOS app

Please follow the steps below to protect your iOS application with Quixxi Security

  1. Create a new app in Quixxi Portal using the “Add New” box
  2. In the “Create your app” dialog give a name to your application and click “Continue”
  3. Click the newly created app and choose “Shield” tab in the header bar
  4. Drag and Drop your IPA file and click on “Next”
    Quixxi Shield
  5. Now start configuring the security options according to your needs. You can find their detailed explanations here. Once done please click on “Next” to start protecting your appiOS Shield options
  6. Once the compilation is over you will be redirected to the “Download” section. Your protected app will be available clicking on “Download Protected App”
  7. If you decided to sign the ipa locally instead of uploading the Development/Distribution certificate in Quixxi Portal while applying the Shield you MUST now sign the downloaded ipa file to have it working on mobile. You can find the detailed manual signing procedure here

iOS Shield options description

Quixxi Shield is available only for plans that are equal or superior to the Pro one

IMPORTANT – in all the options involving the app termination please bear in mind that the final user will NOT be notified about the specific cause for security reasons, so use the options wisely

Runtime App Protection

Disable copy & paste functionality on standard text fields

This option is set to OFF state by default and can be modified. If this option is ON, Quixxi Shield will search the UITextField elements in the app. When found, Quixxi Shield will insert the logic to prevent copying and pasting the content outside the app

IMPORTANT – the copy and paste protection applies ONLY when the copied content is taken from UITextField elements

Disable paste option on password text fields

This option is set to OFF state by default and can be modified. This option applies ONLY to native apps. If this option is ON, Quixxi Shield will search the UITextField elements which are set as secureTextEntry. When found, Quixxi Shield will insert the logic to prevent pasting the content into the password text fields

Prevent screen recording via QuickTime Player and Screen Recording

This option is set to OFF state by default and can be modified. If this option is ON, Quixxi Shield will insert the logic to prevent the app to be recorded using QuickTime Player on Mac [Movie Recording functionality] or via Screen Recording on iPhone for iOS 11 and later versions. If the user tries to record the mobile screen in such conditions then Quixxi Shield will prompt a white screen with the message “Can’t record the mobile screen”

Prevent AirPlay Screen Mirroring

This option is set to OFF state by default and can be modified. If this option is ON, Quixxi Shield will insert the logic to prevent the AirPlay screen mirroring. If the user tries to share the mobile screen in such conditions then Quixxi Shield will prompt a white screen for the mirrored one with the message “Can’t perform screen mirroring”

Blur the app when put in background

This option is set to OFF state by default and can be modified. If this option is ON, Quixxi Shield will insert the logic to blur the app preview when the app is put in background

Terminate the app running in jailbroken devices

This option is set to OFF state by default and can be modified. If this option is ON, Quixxi Shield will insert the logic to terminate the app when executed in a jailbroken phone. This option can be used to stop the app regardless of the store from where it was downloaded and installed

Allow apps installed from AppStore to bypass the jailbreak protection

This option is set to OFF State by default and can be modified only when the previous “Terminate the app running in jailbroken devices” is ON. If this option is ON, Quixxi Shield will insert the logic to terminate the app exclusively on those devices which did NOT install the app from App Store

IMPORTANT – This option must be chosen VERY carefully. We introduced it to let all the customers who downloaded from safe markets use the app on jailbroken devices. This is extremely important for paid apps, because customers who are denied the access after a regular purchase can destroy its reputation on the markets. On the other side please consider that the possibility itself to run the app on jailbroken devices – even though only under controlled conditions – will make you fail advanced security assessments, especially if the data handled by the app are sensitive [as in fintech, healthcare, etc.]

Tamper Protection

Report to Quixxi portal after threat detection

This option is set to ON by default and can be modified. If this option is ON, Quixxi Shield will report on Quixxi portal and in real-time the occurrence of the following threats, when the related shield option is selected: app not passing the integrity check, app attached to debugger, app running in a jailbroken device and published or TestFlight app later resigned

Validate app integrity

This option is set to ON by default and can’t be modified. If this option is ON, Quixxi Shield will insert the logic to verify the integrity of the app at runtime. If the check fails, then the app will be immediately terminated

Terminate your Published or TestFlight app when resigned

This option is set to OFF by default and can be modified. If this option is ON, Quixxi Shield will insert the logic to verify that the original application has not been resigned after being downloaded from the App Store or TestFlight. If the check fails, then the app will be immediately terminated

IMPORTANT – This option is NOT intended to be applied on debug builds. In this case the app will be immediately terminated because the debug versions lack of the encryption, which is instead expected to be found on Published or TestFlight apps

Terminate the app when running with the debugger attached

This option is set to OFF by default and can be modified. If this option is ON, Quixxi Shield will insert the logic to immediately terminate the app whenever a debugger is attached

Encrypt the UserDefaults values

This option is set to OFF by default and can be modified. This option applies ONLY to native apps. If this option is ON, Quixxi Shield will insert the logic to encrypt the values before storing them in UserDefaults

IMPORTANT – Once this option is switched ON for a particular app version then the same setting must be applied also for the future releases or you will likely experience app crashes. The technical reason is that if e.g. version 3.2 of your app makes use of the automated encryption/decryption logic for the UserDefaults then version 3.3 and following will need the same automated mechanism when dealing with previously encrypted content

Encrypt files created and used by the application at runtime

This option is set to OFF by default and can be modified. This option applies ONLY to native apps. If this option is ON, Quixxi Shield will insert the logic to encrypt the content of runtime files before storing it in the app sandbox

IMPORTANT – Once this option is switched ON for a particular app version then the same setting must be applied also for the future releases or you will likely experience app crashes. The technical reason is that if e.g. version 3.2 of your app makes use of the automated encryption/decryption logic for the files produced at runtime then version 3.3 and following will need the same automated mechanism when dealing with previously encrypted content

Secure Communication

SSL certificate validation via SSL pinning

This option is set to OFF state by default and can be modified. This option applies ONLY to native apps. If this option is ON, Quixxi will hardcode the public key used by the mobile app [i.e. the client] to authenticate the server. In this way the app can ignore the device trust store and rely only on the assigned one[s]. The developer will enter the URLs making use of the public key to be verified. Quixxi will retrieve their public keys and include them within the logic needed to increase the security level of the app data in transit

App Signing

Sign your IPA after applying security shield

This option is set to OFF by default and can be modified. If this option is ON, Quixxi Shield will first apply its security layer and then sign this secured IPA with your Certificate and Provision Profile. So the protected app that you will receive from the Download section of our portal is ready to be directly published on the App Store or directly installed in your provisioned devices. Of course you can also choose to benefit from Quixxi Shield effects without revealing us your certificates, signing the IPA on your own machine later

IMPORTANT – from a pure functional point of view signing the IPA on Quixxi portal or locally makes no difference at all. But forgetting to sign it dramatically does. Device does not allow to install any unsigned IPA and any attempt to bypass this rule will fail. Moreover the App Store will not allow to publish an unsigned IPA

NOTE: if you need a protected and signed test app you will first need to access the “Edit iOS Provisioning Profile (Development)” window in the Apple portal, giving the permission to your testers. Then you will just need to provide the Development Certificate & Development Provision in the Quixxi boxes

Supervise configuration

Send events and device info to Quixxi portal [basic version]

This option is set to ON by default and can’t be modified. If this option is ON, Quixxi Shield will insert the logics to log basic events [new user and app start] plus other basic data like store used for the download, device vendor, model, operative system, app version, etc. In this case Quixxi will receive the data and automatically organize their display on the portal in pie charts and lists

Send crash reports to Quixxi portal

This option is set to OFF by default and can be modified. If this option is ON, Quixxi shield will insert the logics to detect the app crashes, filing each of them on Quixxi portal together with the debugging files needed to bugfix the issues. Moreover we will directly embed on our website a research on StackOverflow for each of the problems that were collected

Steps to manually sign an IPA

  1. Select “Shield” tab in the header bar, click on “Download” in the left menu, choose the Apple icon in the top right corner and click on “Download the protected app”
  2. Unzip the IPA
    unzip <protected_ipa>.ipa -d UNPACKED_FOLDER
  3. Sign the Plugins
    cp <path to your app mobile provision> UNPACKED_FOLDER/Payload/<app_name>.app/Plugins/PLUGIN_NAME.appex/embedded.mobileprovision
    codesign -f -s “<Signing Identity Name in Keychain Access>” “UNPACKED_FOLDER/Payload/<app_name>.app/Plugins/<plugin_name>.appex”
  4. Sign the Watch Kit Extensions
    – Sign the watch kit plugins

    cp <path to your app mobile provision> UNPACKED_FOLDER/Payload/<app_name>.app/Watch/<watch_kit_name>.app/PlugIns/<plugin_name>.appex/embedded.mobileprovision
    codesign -f -s “<Signing Identity Name in Keychain Access>” “UNPACKED_FOLDER/Payload/<app_name>.app/Watch/<watch_kit_name>.app/PlugIns/<plugin_name>.appex/”

    – Sign the watch kit app

    cp <path to your app mobile provision> UNPACKED_FOLDER/Payload/<app_name>.app/Watch/<watch_kit_name>.app
    codesign -f -s “<Signing Identity Name in Keychain Access>” “UNPACKED_FOLDER/Payload/<app_name>.app/Watch/<watch_kit_name>.app”
  5. Sign the QuixxiShield
    cp <path to your app mobile provision> UNPACKED_FOLDER/Payload/<app_name>.app/embedded.mobileprovision
    codesign -f -s “<Signing Identity Name in Keychain Access>” “UNPACKED_FOLDER/Payload/<app_name>.app/Frameworks/QuixxiActivation.framework/”
    codesign -f -s “<Signing Identity Name in Keychain Access>” “UNPACKED_FOLDER/Payload/<app_name>.app/Frameworks/QuixxiSecurityShield.framework/”
    codesign -f -s “<Signing Identity Name in Keychain Access>” “UNPACKED_FOLDER/Payload/<app_name>.app/Frameworks/QuixxiLicensing.framework/”
  6. Sign the application
    – Using same provisioning profile [Recommended]

    cp <path to your app mobile provision> UNPACKED_FOLDER/Payload/<app_name>.app/embedded.mobileprovision
    codesign -d –entitlements :- UNPACKED_FOLDER/Payload/<app_name>.app/ > ENTITLEMENT.plist
    codesign -f -s “<Signing Identity Name in Keychain Access>” –entitlements ENTITLEMENT.plist “UNPACKED_FOLDER/Payload/<app_name>.app”

    NOTE: you can get your Signing Identity name in KeyChain Access. Please refer to the screenshot below
    iOS signing identity

    – Using different provisioning profile

    1. Copy the provisioning profile into the application package
      cp <path to your app mobile provision> “UNPACKED_FOLDER/Payload/<app_name>.app/embedded.mobileprovision”
    2. Reveal the provisioning profile content
      security cms -D -i <path to your app mobile provision>

      iOS provisioning profile content

    3. Locate the entitlements section and copy the Entitlements dictionary
    4. Create ENTITLEMENT.plist file and paste the content copied in step 2. Now your file looks like below
      iOS Entitlement file
    5. Finally sign the IPA file
      codesign -f -s “<Signing Identity Name in Keychain Access>” –entitlements ENTITLEMENT.plist “UNPACKED_FOLDER/Payload/<app_name>.app/”
  7. Repack the IPA
    – method 1

    cd <UNPACKED_FOLDER>
    zip -qr “<app_name>.ipa” UNPACKED_FOLDER/*

    Note: UNPACKED_FOLDER may contain the payload and other swift support files

    – method 2
    Select the Payload and Swift support files and compress then change the file extension from .zip to .ipa

iOS SDK – Quick Start Guide

Introduction

Quixxi Security is usable by enterprises and mobile app developers to secure their mobile apps form piracy, revenue loss, IP theft, loss of user data , hacking and cracking. Quixxi Security ensures your application is fully protected with our multi layered encryption engine that prevents your application from being reverse engineered and tampered with.

Salient features

  1. Security Framework will encrypt your business logic code of your application and move it to native low layer
  2. Framework uses java reflection to hide the method calls and it removes the method body and replaces it with native method calls to protect the apps business logic from crackers
  3. Prevents revenue loss caused by cracked usage of application
  4. Easy to Integrate with your existing applications
  5. Provides additional APIs for encrypting app data and shared preferences API for storing data secretly in device

QuixxiApp Security Framework

It is a combination of the following modules that makes your app work in a secure way.

Quixxi data protector

Under encrypted data we have the following options.

Quixxi app protector

This will detect that device has jailbroken and application is running in debug mode.

Core data

This will enable the core datastore to encrypt it before storing the value. After the setup, usage of the core data will remain same.

SQLite

Makes the application use the encrypted SQLite Database. With this, all the data will be encrypted into cipher text with a password key.

Steps to apply Quixxi Security to iOS app

Please follow the steps below to protect your Android application with Quixxi Security

  1. Create a new app in Quixxi Portal using “Add New” button.
  2. In “Create your app” dialog give a name of your application and click Continue
  3. Click the newly created app and choose “Security” in the header tab.
  4. Under the iOS Section Click “Protect now” to protect your app.
  5. In the next window make sure Apple Radio button is selected and click on the Compile button.
  6. Scroll down the window and choose the appropriate plan and then click Next.
  7. Once you Click Next the framework will be compiled
  8. Once Quixxi Security framework is compiled, click on the Download Library to download the protection library.

Integration of Quixxi security Framework to your app

  1. Create a XCode project
  2. Right click on the project and choose -> Add Files to Project Name
  3. Redirect to the QuixxiAppSecurity.framework that you have and click open
  4. Now we need to add the framework to the project. For that, click on the Project, choose targets of your project and choose General tab, under General look for the embedded
  5. Binaries, click (+) Plus button and choose the QuixxiAppSecurity.framework.
  6. Search for Other C Flags in build settings for your target and add -DSQLITE_HAS_CODEC (if you have differing Debug and Release flags, add it for both configurations)
  7. Drag the QuixxiActivation.framework and keys.txt file.
  8. Choose the Generic iOS Device, clean and build the project.

Now your application is secured and ready for market release

Utility API

In addition to features, Quixxi Security provides utility APIs for usage in application development.
You can also check out our API Reference for more detailed information about our SDK.

Quixxi App Protector

This will detect that device has jailbroken and application is running in debug mode.


For jailbroken

Open the Appdelegate.m and add the following lines under didFinishLaunchingWithOptions method.


For debugger detection

Open the Appdelegate.m and add the following lines under didFinishLaunchingWithOptions method.


The above codes will check for the device is Jailbroken and Debugging is connected.

Quixxi Data Protector – Core Data

Quixxi Data ProtectorforCore Data makes the core data store makes the data to be stored in the encrypted mode. After the setup, there is no change, the usage is exactly same as working on Core Data. All the data that is present in the database will be encrypted.

  1. Open the ApAppdelegate.h and add the following line

  2. Look for the method

    The above line will be allows the core data store to be used in encrypted store. After the above setup the usage of the core data will be same as usuall.

  3. To test if the database is encrypted or not, choose open XCode -> choose Windows -> Devices
  4. Choose the connected device and select the App -> Choose (+) and select -> Download Container. Choose the specific folder and save.
  5. Open the sqlite database from the App Container.
  6. Open the Command line and Give the following command.

Quixxi Data Protector – SQLite

QuixxiData Protector makes the application to use the Encrypted SQLite Database. So all the data will be encrypted into ciphertext with a password key. All the data that present in the database will be encrypted

  1. Open the Appdelegate.h and add the following line

  2. Add the following two lines after open the database

    The above line will be allows the core data store to be used in encrypted store. After the above setup the usage of the core data will be same as usual.

    Example:


  3. To test the database encrypted or not. Choose Open XCode choose Windows -> Devices
  4. Choose the Connected device and select the App -> Choose (+) and select -> Download Container. Choose the specific folder and save.
  5. Open the sqlite database from the App Container.
  6. Open the Command line and Give the following command which will show the encrypted database.