16 Sep 2022
Apple released Xcode 14.0 on September 12th, and so we wanted to clarify what this update means for DexProtector.
As the Xcode 14 release notes explain:
- Starting with Xcode 14, bitcode is no longer required for watchOS and tvOS applications, and the App Store no longer accepts bitcode submissions from Xcode 14.
- Xcode no longer builds bitcode by default and generates a warning message if a project explicitly enables bitcode: “Building with bitcode is deprecated. Please update your project and/or target settings to disable bitcode.” The capability to build with bitcode will be removed in a future Xcode release.
So, what does this mean for DexProtector, and for DexProtected iOS apps?
As you might already be aware, up until now DexProtector’s code hardening mechanisms for Swift and Objective-C have been applied at the bitcode level: that’s String Encryption, Hide Access, and, most obviously, Bitcode Obfuscation.
That’s why we have been preparing a transition away from bitcode from the moment Apple made the announcement back in June. In fact, it’s a move we’d already considered making - the announcement just expedited things for us.
The upshot is:
- Future versions of DexProtector will take a ‘bitcode-free’ approach to Swift and Objective-C code hardening
- The code hardening mechanisms for bitcode-free packages will remain fundamentally the same. String Encryption and Hide Access will still be available, and Class Metadata Encryption will take the place of Bitcode Obfuscation. In other words there’ll be no great changes in configuration
- DexProtector will continue to support bitcode builds until Apple removes it entirely from Xcode. This will not affect App Store submission, since DexProtector can already strip all bitcode after protection; there is no bitcode in the app when it is uploaded to the App Store
- We’ll be releasing a transitional version of DexProtector in the next month that will detect the presence - or absence - of bitcode in the package and process the code accordingly
- This new version of DexProtector will be assessed and certified according to EMVCo standards by an external testing lab, as has been the case with previous major updates
- As for all of DexProtector’s resource encryption, RASP, integrity control, and network security mechanisms, nothing will need to change. That means no changes for hybrid apps, too. Business as usual
So, our recommendation to you is to continue with Xcode 13.4.1 for just another few weeks until the updated version of DexProtector arrives. That way there should be no disruption at all.
I hope this email clarifies any questions you might have had about Xcode and DexProtector. If any other queries come to mind, please do let us know and we'll be pleased to address them.