Xcode: hide / protect resource files in final iOS app?

I plan to develop an app for iOS and want to use HTML5, CSS and Javascript. The final app should be implemented as a native app using Xcode and UIWebView.

Can I hide or protect my html files in the final app? I have to put the files in the folder called "Supporting Files" in Xcode. Therefore, everyone can view the plain files after purchasing the app by extracting the .ipa file, right?


There's many ways to protect your data, depending on how good you want the protection to be. For very minimal protection against only casual hackers, you could use a string obfuscation algorithm to obfuscate and de-obfuscate the HTML content as NSStrings. Here's an example of doing that. I haven't used that particular code, but I'm also not really recommending obfuscation as a technique, unless the data really isn't very sensitive.

The better solution is to encrypt the HTML content, although that's more work, and may involve some export control issues, depending on where you are, and where you're distributing your app.

For encryption, you have lots of options.

1) Here is an open source implementation that provides a secure version of something like NSUserDefaults. I don't see an equivalent to registerDefaults: in that code, though, so it's possible that the first time your app runs, you may have to download the content from the web. But, then you could encrypt and store it in PDKeychainBindings as a string value. On subsequent runs, you could then extract stored HTML "files" like this:

NSString* webPageContent = 
    [[PDKeychainBindings sharedKeychainBindings] valueForKey: @"index.html"];

2) Here's another open source project that provides AES encryption wrappers. You would write some non-production code before releasing your app to encrypt the HTML content into encrypted data files that would be bundle resources. When your app runs, it opens the files and decrypts them into NSString objects which can be given to your UIWebView via loadHTMLString: baseURL:.

3) Finally, here's another example of using the underlying CommonCrypto APIs to protect bundle resources. This example uses a custom build step to automatically encrypt resources in a particular folder, which would save you some time if your protected HTML content is going to change reasonably often.

You can encrypt the files and decrypt them at runtime or you can not include them in your bundle and have a compile time script that reads them and converts them into encoded data in your app that you can just load into your UIWebView with:

- (void)loadData:(NSData *)data MIMEType:(NSString *)MIMEType textEncodingName:(NSString *)encodingName baseURL:(NSURL *)baseURL

You could create all your HTML and so on also within your code and then use UIWebView's

- (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL

to manually load every HTML string as plain text. I advice you, however, not to do so. If somebody really wants to isolate every string from your compiled source code, this is possible for him (unless you really do demanding stuff).

Most of the users simply don't care about what's inside the ipa file. If you can live with < 1% who inspects it, don't worry too much about this topic.

Another aspect would be possible as well (even if this is not a fantastic idea): You could point your UIWebView to a secret website only you and your app know. This is absolutely not advisable.

Need Your Help

Keep a method from obfuscate in android

android obfuscation

I want to keep a method from obfuscating and rename.

"User follows" with PropelORM - Three way relationship

php mysql orm propel

Can someone point me in the right direction to do a "user follows" kind of thing. I have 3 tables: users, user_follows, and a posts.