Menu

iOS

Configuring DexProtector

Introduction to configuring DexProtector

DexProtector works best when it is tailored to your app.

Configuration is by means of a single XML file, which can be edited directly or via the DexProtector Studio interface. A default configuration file (dexprotector.xml) can be found in the root folder of the distribution package, but every app (or SDK) has different requirements. We therefore strongly recommend that you create your own tailored configuration, in order to target the correct code and resources for protection.

You can use the configuration file to control the DexProtector process according to your needs. The configuration file allows you to specify the details of:

  • Build and logging settings for the DexProtector process
  • Signing methods
  • Protection mechanisms and filters for including/excluding code and resources for protection
  • Environment checks, for the detection of rooted devices; debuggers; emulators; and hooking tools
  • Network security options, including certificate monitoring for both Certificate Transparency and Public Key Pinning mechanisms
  • Integration with Licel's Threat Reporting and Attack Telemetry system, Alice

We recommend making use of all of the security features provided, as each element of protection adds more security and more resistance against malware, reverse engineering, tampering, and Man-in-the-Middle attacks.


Configuration file overview

xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<dexprotector>

<!-- BUILD SETTINGS -->

  <verbose>true</verbose>

<!-- SIGNING -->

  <certificate>no_default</certificate> 

<!-- iOS SETTINGS -->

  <ios mode="all" stripBitcode="off" protectSimulator="off" swiftEnvCheckMode="off">

	<bitcodeObfuscation/>

  <!--  <bitcodeRebuilder>
		<outputdSYMsDir>no_default</outputdSYMsDir>
        </bitcodeRebuilder> -->

	<paranoidMode/> 
	
	<mobileProvisionFile>no_default</mobileProvisionFile>

  <!-- <frameworks mode="all">
		<filters>
			<filter>no_default</filter> 
		</filters>
     </frameworks> -->

  <!-- <cordova/> -->
  <!-- <reactNative/> -->
  <!-- <nativeScript/> -->
	
  </ios>
  
<!-- CODE PROTECTION -->

   <stringEncryption/> 

    <hideAccess/>

<!-- RESOURCE PROTECTION -->

   <resourceEncryption>
        <assets>
            <filters>
               <filter>no_default</filter>
            </filters>
        </assets>
   </resourceEncryption>

<!-- RASP - RUNTIME & ENVIRONMENT CHECKS -->

  <runtimeChecks/>
	
<!-- NETWORK SECURITY -->

  <publicKeyPinning src="no_default">
    <trace>0</trace>
    <actions>block, report</actions>
    <network-security-config>
      <domain-config>
          <domain includeSubdomains="false">no_default</domain>
          <pin-set expiration="no_default">
	     <pin digest="no_default"></pin>
          </pin-set>
      </domain-config>
    </network-security-config>
  </publicKeyPinning>
  <certificateTransparency>
	<trace>0</trace>
	<domain includeSubdomains="false">no_default</domain>
	<!-- <logFile>no_default</logFile> -->
  </certificateTransparency>

<!-- UI PROTECTION -->

  <uiProtection/>

<!-- THREAT REPORTING AND TELEMETRY (ALICE) -->

  <reportMonitoring>
    <apiKey>no_default</apiKey>
    <trace>0</trace>
  </reportMonitoring>

</dexprotector>
Build Settings Description and values

Verbose Logging

boolean

Element: verbose

Description: Enables/disables verbose logging for the DexProtector process.

Valid values: true; false. Default value: false

<verbose>false</verbose>
Signing Description and Values

Signing Certificate

string

Element: certificate

Description: Specifies the certificate to be used for code signing before testing and/or distribution

<certificate>Apple Distribution: Licel Corporation (2N2DJJYKB2)</certificate>
iOS Settings Description and Values

iOS

Bitcode Obfuscation

Bitcode Rebuilder

Paranoid Mode

Mobile Provision File

Frameworks

Cordova

React Native

NativeScript

Element: ios

Description: Instructs DexProtector to process an xcarchive, IPA, or Framework, and enables the configuration of nested elements for iOS packages.

Attribute: stripBitcode

Valid values: on - enable bitcode stripping; off - disable bitcode stripping

Default value: off

Attribute: protectSimulator

Valid values: on - enable support for the DexProtected app or framework to be run on a simulator; off - disables support for the DexProtected app or framework to be run on a simulator

Default value: off

Attribute: swiftEnvCheckMode

Valid values: on - enable probe and callback methods in Swift for the <detect> Environment Checks element; off - disable probe and callback methods in Swift for the <detect> Environment Checks element

Format: contains nested elements (<bitcodeObfuscation>,<paranoidMode>,<mobileProvisionFile>, <frameworks>, <cordova>, <reactNative>, <nativeScript>)

Element (nested): bitcodeObfuscation

Description: Bitcode Obfuscation conceals the names of the specified classes, their methods, and their fields. The result is that the classes themselves essentially cease to exist, until they are recreated at runtime at the stage of loading the image. Note: The encryption of class names can sometimes lead to errors, because reflections may refer to the original class names during runtime. Note 2: Nothing within frameworks should be obfuscated if it needs to be visible to third parties. Note 3: If the filter for Bitcode Obfuscation contains a forward slash - / - then the class name(s) will not be encrypted.

Format: contains nested elements

     Element (nested): filters

     Format: string

     Default value: no default value

<bitcodeObfuscation>
   <filters>
      <filter><![CDATA[glob:SecretClass*/*]]></filter>
   </filters>
</bitcodeObfuscation>

Element (nested): bitcodeRebuilder

Description: For Crashlytics to function with a DexProtected IPA, the stripBitcode attribute (see above) must be set to "on", with <bitcodeRebuilder> included and <outputdSYMsDir> specified. Crashlytics will function as normal by default with a DexProtected xcarchive.

Format: contains nested elements

     Element (nested): outputdSYMsDir

     Format: string

     Description: Specify the path for the generated .dSYM file

<bitcodeRebuilder>
   <outputdSYMsDir>/Users/developer/outDsyms</outputdSYMsDir>
</bitcodeRebuilder>

Element (nested): paranoidMode

Description: With Paranoid Mode enabled, if DexProtector detects an anomaly during runtime (compromised application integrity; jailbroken device; dynamic instrumentation & hooking frameworks; debuggers; simulators), the application will crash without warning or traces for an attacker to exploit.

Element (nested): mobileProvisionFile

Description: Specify the .mobileprovision file for the provisioning profile.

Format: string

Element (nested): frameworks

Description: Enable Frameworks protection to target Frameworks within an app, and specify them through the filters. If you intend to DexProtect only a Framework (and not an app), there is no need to enable this setting. The other protection settings can be applied as they would be for an app. For filters, the names of frameworks are specified using the root of the frameworks folder. For example, if you have an AppCore.framework in your app, the filter will be AppCore.framework/*, not including Frameworks or any other folder names.

Format: contains nested elements

     Element (nested): filter

     Format: string

     Default value: no default value

<frameworks mode="all">
   <filters>
      <filter><![CDATA[glob:Secret.framework/*]]></filter> 
   </filters>
</frameworks>

Element (nested): cordova

Description: Enables the protection of an iOS app developed with Cordova

Element (nested): reactNative

Description: Enables the protection of an iOS app developed with React Native

Element (nested): nativeScript

Description: Enables the protection of an iOS app developed with NativeScript

Code Protection Description and Values

String Encryption

Element: stringEncryption

Description: Enables DexProtector's String Encryption mechanism. There is no need to specify filters for stringEncryption for iOS packages. DexProtector will encrypt strings in the package by default.

Hide Access

filters

Element: hideAccess

Description: The Hide Access mechanism conceals method calls and field accesses in the packages and classes specified in the filters, breaking the link between the call site and the function being called.

Element (nested): filters

Format: string

Default value: no default value

<hideAccess>
    <filters>
        <filter><![CDATA[glob:ClassA]]></filter>
        <filter><![CDATA[glob:ClassB*/methodA*]]></filter>
        <filter><![CDATA[glob:ClassC/methodB*]]></filter>
    </filters>
</hideAccess>
Resource Protection Description and Values

Resource Encryption

Element: resourceEncryption

Description: Resource encryption protects against malicious copying, modification, and piracy by encrypting an application's internal resources; resource names; and, for cross-platform apps, HTML, JS, and CSS code. Filters can target the assets and res folders, as well as resources in the root folder, and individual string resources.

Element (nested): assets

Description: Encrypts resource files in the target package. Files can be targeted by file pattern (i.e. **.png denotes all files of PNG file format), name pattern (i.e. File1** denotes all files whose names begin with the string "File1"), by specific file name (e.g. File2.json), or by path (e.g. TestDir/File3.txt).

Format: contains nested elements

     Element (nested): filters

     Format: string

     Default value: no default value

<resourceEncryption>
    <assets>
        <filters>
            <filter>**.png</filter>
        </filters>
    </assets>
</resourceEncryption>
RASP (Runtime Application Self-Protection) - Environment & Runtime Checks Description and Values

Runtime Checks

Element: runtimeChecks

Description: With this setting enabled, DexProtector will automatically implement checks on start-up and during runtime, crashing all application processes instantly if any of the following is detected:

  • Compromised application integrity
  • Dynamic instrumentation & hooking frameworks
  • Debuggers
  • Emulators
  • Custom firmware
  • Rooted/Jailbroken devices
Network Security Description and Values

Public Key Pinning

Element: publicKeyPinning

Description: Settings for SSL/HTTP Public Key Pinning.

Default value: no default value

Format: contains nested elements (<actions>, <reportUri>, <reportMethod>, <network-security-config>)

Element (nested): actions

Description: Specifies the actions to be performed if there are errors or anomalies detected during the Public Key Pinning checks

Format: list with the ',' separator

Available values: block - block the connection; report - send a report regarding the connection

Default value: block, report

<actions>block, report</actions>

Element (nested): reportUri

Description: Specifies the address that will be used to send JSON reports regarding any errors or anomalies detected during the Public Key Pinning checks

Format: string

Element (nested): reportMethod

Description: Specfies a method (in the format ClassName.methodName) to which JSON reports are passed in the event of any errors or anomalies detected during the Public Key Pinning checks. These methods should have public static modifier and (String jsonStr) signature.

Format: string

Element (nested): cacheTTL

Description: Time to live for a server SSL certificate chain check result for each domain

Format: int

Default value: 180

Element (nested): network-security-config

Description: Embedded Security Configuration

Examples of embedded security configuration settings:

<network-security-config>
            <domain-config>
                <domain includeSubdomains="true">example.com</domain>
                    <pin-set expiration="2023-01-01">
                    <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
                    <!-- backup pin -->
                    <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
                    </pin-set>
            </domain-config>
</network-security-config>

Certificate Transparency

Element: certificateTransparency

Description: Settings for monitoring public key certificates according to the Certificate Transparency standard. DexProtector uses a list of log servers that is located in the distribution package. This list is based on: https://source.chromium.org/chromium/chromium/src/+/master:components/certificate_transparency/data/log_list.json Alternatively, a list of authorized log servers can be specified manually by entering a path to a file containing that list.

Format: contains nested elements (<trace>, <logFile>)

Element (nested): trace

Format: string

Description: For debugging purposes, set trace to 1000.

Default value: no default value

Element (nested): logFile

Format: string

Description: Path to file containing your own list of authorized log servers.

Default value: no default value

<certificateTransparency mode="on">
	<trace>0</trace>
        <domain includeSubdomains="true">no-sct.badssl.com</domain>
	<logFile>/path_to_log_list_file</logFile>
</certificateTransparency>
UI Protection Description and Values

UI Protection

Element: uiProtection

Description: DexProtector’s UI Protection for iOS blocks screen capture and enforces use of the system keyboard. Screen capture blocking hardens your app against screenshots, screen recording, and screen casting. Enforced use of the system keyboard ensures that the app is not exposed to unsafe input from custom keyboards.

Threat Reporting and Telemetry - Alice Integration Description and Values

Threat Reporting

Element: reportMonitoring

Description: Configures Licel’s Real-Time Attack Telemetry and Threat Intelligence service, Alice. For more information, see our guide to Alice.

Format: contains nested elements (<apiKey>, <customFieldsUpdate>, <trace>)

Element (nested): apiKey

Format: string

Default value: no default value

Element (nested): trace

Format: string

Description: The logging level of DexProtector messages on the end device. For debugging purposes, set to 1000. Otherwise, set to 0 or exclude the <trace> node.

Default value: no default value

xml
<reportMonitoring>
    <apiKey>137feb09-f390-4f00-b43f-ebccf530adf6lt</apiKey>
    <trace>0</trace>
</reportMonitoring>

Filters: A guide to targeting code and resources

An important part of the configuration process is specifying which packages and classes will be targeted for protection. DexProtector therefore provides a flexible mechanism for setting custom filters for its protection mechanisms.

For DexProtector for iOS the fundamental protection mechanisms against static analysis are String EncryptionHide Access, and Bitcode Obfuscation. There is also Resource Encryption.

For each of these, when setting filters, what need to be targeted are classes (and/or methods), and they are targeted by name.

Important note: The pattern syntax for DexProtector for iOS is different from that for DexProtector for Android. The basic pattern structure is ClassNamePattern/MethodNamePattern

String Encryption

For String Encryption there is usually no need to set filters; DexProtector will encrypt all strings in the package by default and it should not have any effect on performance:

<stringEncryption/>

Hide Access

For Hide Access, there is not normally any need to set filters either; it is fast enough not to affect performance significantly. However, here is how to set Hide Access filters if so desired:

1. To hide accesses to all methods in all classes (recommended):

<filter><![CDATA[glob:*]]></filter>

2. To hide access to all methods in classes whose names begin with the string "Test" (i.e. all methods in classes named Test1, TestApp, TestClass, etc.):

<filter><![CDATA[glob:Test/]]></filter>

3. For Hide Access, you may also want to target specific methods by name, no matter where they occur. You can do this as follows (methods with names beginning with the string "secretMethod", anywhere in the package):

<filter><![CDATA[glob:/secretMethod]]></filter>

4. Equally, you may wish to target specific methods within specific classes. Here's an example of how to do that (methods with names beginning with the string "secretMethod" within classes with names beginning with the string "Test"):

<filter><![CDATA[glob:Test/secretMethod]]></filter>

Bitcode Obfuscation

This feature is analogous to the Class Encryption protection mechanism for Android. That means it encrypts/protects the names of classes, their methods, and fields. In fact, the obfuscated class essentially ceases to exist, with all of its metadata removed. The class is then recreated during runtime at the stage of loading the image.

The encryption of class names, however, can sometimes lead to errors, because references/reflections may refer to the original class names during runtime. For example, various interface elements, presented as separate files as resources, may make reference to original class names. And these cannot be processed if encrypted.

It is also important to remember that nothing within frameworks should be obfuscated if it needs to be visible to third parties.

Note 1: Because Bitcode Obfuscation is iOS-specific, <bitcodeObfuscation> is an element within the <iOS> tag of the configuration file

Note 2: If no filter is specified in Bitcode Obfuscation, then nothing will be protected.

Note 3: If the filter for Bitcode Obfuscation contains a forward slash - / - then the class name(s) will not be encrypted, as in the first two examples below.

Filters for Inclusion (Bitcode Obfuscation)

1. The following filter is set to include every class within the input package, and to protect all of the methods and fields for those classes, but to leave class names unencrypted.

<dexprotector>
...    
   <ios mode="filters">
      <bitcodeObfuscation>
         <filters>
            <filter><![CDATA[glob:/]]></filter>
         </filters>
      </bitcodeObfuscation>
   </ios>
...
</dexprotector>

2. The following filter will protect all methods and fields in every class whose name begins with the string 'Test', but at the same time, the class names themselves will remain unencrypted:

<dexprotector>
...    
   <ios mode="filters">
      <bitcodeObfuscation>
         <filters>
            <filter><![CDATA[glob:Test/]]></filter> 
         </filters>
      </bitcodeObfuscation>
   </ios>
...
</dexprotector>

3. The following filter will encrypt all classes entirely: class names, methods, and fields. However, this may cause errors at runtime for the reasons outlined above.

<dexprotector>
...    
   <ios mode="filters">
      <bitcodeObfuscation>
         <filters>
            <filter><![CDATA[glob:*]]></filter> 
         </filters>
      </bitcodeObfuscation>
   </ios>
...
</dexprotector>

4. The following filter will encrypt all classes whose name begins with the string 'Test', including the class names, methods, and fields.

<dexprotector>
...    
   <ios mode="filters">
      <bitcodeObfuscation>
         <filters>
            <filter><![CDATA[glob:Test*]]></filter> 
         </filters>
      </bitcodeObfuscation>
   </ios>
...
</dexprotector>

5. The following filter will encrypt all methods and fields whose names start with the string "mySecret", in every class.

<filter><![CDATA[glob:/mySecret]]></filter>

6. And the final example (below) shows a filter targeting a specific method (mySecret) within a specific class (Test).

<filter><![CDATA[glob:Test/mySecret]]></filter>

Of course, since these final two examples target specific methods, neither classes nor class names themselves will be encrypted. In other words, the general rule that if the filter for Bitcode Obfuscation contains a forward slash - / - then the class name(s) will not be encrypted continues to apply.


Resource Encryption

Resource Encryption can be used to target assets files in the framework, IPA, or xcarchive. These files can be targeted by file pattern (i.e. *.png denotes all files of PNG file format), name pattern (i.e. File1* denotes all files whose names begin with the string "File1"), by specific file name (e.g. File2.json), or by path (e.g. TestDir/File3.txt). Here is an example configuration for Resource Encryption:

'
<resourceEncryption>
   <assets>
      <filters>
         <filter>*.png</filter>
         <filter>File1*</filter>
         <filter>File2.json</filter>
         <filter>TestDir/File3.txt</filter>
      </filters>
   </assets>
</resourceEncryption>

Filters for Exclusion (String Encryption, Hide Access, Bitcode Obfuscation, Resource Encryption)

Filters for exclusion can be set by preceding the pattern with an exclamation mark !.

This is especially useful for excluding public classes from Bitcode Obfuscation, as in the example below:

'
<dexprotector>
...
    <ios mode="all">
        <bitcodeObfuscation>
            <filters>
                <filter><![CDATA[glob:/]]></filter>
                <filter><![CDATA[glob:!PublicClassA/*]]></filter>
                <filter><![CDATA[glob:!PublicClassB/*]]></filter>
            </filters>
        </bitcodeObfuscation>
    </ios>
...
</dexprotector>

This set of filters would target every class within the input package except for the two specified public classes PublicClassA and PublicClassB, which would remain entirely unencrypted.


Configuring DexProtector for applications

Example configuration for applications

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<dexprotector>

<!-- BUILD SETTINGS -->

   <verbose>true</verbose>

<!-- SIGNING -->

   <certificate>Apple Distribution: Licel Corporation (2N2DJJYKB2)</certificate> 

<!-- iOS SETTINGS -->

   <ios mode="all" stripBitcode="on" protectSimulator="off" swiftEnvCheckMode="off">

      <paranoidMode/> 
	
      <mobileProvisionFile>/Users/developer/my.mobileprovision</mobileProvisionFile>
	
      <!-- For Crashlytics to function with a DexProtected IPA, stripBitcode must be set to "on", 
             with <bitcodeRebuilder> included and <outputdSYMsDir> specified. Crashlytics will function
             as normal with a DexProtected xcarchive. -->

      <bitcodeRebuilder>
         <outputdSYMsDir>/Users/developer/outDsyms</outputdSYMsDir>
      </bitcodeRebuilder> 

      <bitcodeObfuscation>
         <filters>  <!-- This filter includes classes matching the specified pattern. This filter
                                will obfuscate all fields and methods in classes whose name begins with 
                                the string "SecretClass", but will leave the class name(s) unencrypted.
                                Replace the placeholder with a pattern matching the class(es) that you wish to obfuscate,
                                adding additional filters as required. -->
            <filter><![CDATA[glob:SecretClass*/*]]></filter>
         </filters>
      </bitcodeObfuscation>

 <!-- Include this tag to protect frameworks within an IPA. If you intend to protect only a framework,
there is no need to include this tag; the other protection mechanisms will be applied to the input framework file. -->
      <frameworks mode="all">
         <filters> <!-- For filters, the names of frameworks are specified using the root of the frameworks folder
                               of an IPA. For example, if you have an AppCore.framework in your app, the filter will be
                               AppCore.framework/*, not including Frameworks or any other folder names. -->
            <filter><![CDATA[glob:Secret.framework/*]]></filter> 
         </filters>
      </frameworks>
	
  </ios>
  
<!-- CODE & RESOURCE PROTECTION -->

<!-- There is no need to specify filters for stringEncryption for iOS packages. DexProtector will encrypt strings
 in the package by default. -->

   <stringEncryption/> 

   <hideAccess mode="filters">
       <filters> <!-- This filter and those that follow include classes (and/or methods) within the package 
matching the specified patterns. Replace the placeholders with a pattern matching the class(es) that you wish to protect 
using Hide Access, and add additional filters as required. Hide Access is only necessary for Objective-C classes. -->
	  <filter><![CDATA[glob:ClassA]]></filter> 
          <filter><![CDATA[glob:ClassB*/methodA*]]></filter>
          <filter><![CDATA[glob:ClassC/methodB*]]></filter>
       </filters>
   </hideAccess>
	
   <resourceEncryption>
      <assets>
         <filters>  <!-- Replace the placeholder with a pattern matching the assets files that you wish to encrypt, 
                            and add additional filters as required. -->
            <filter>encrypt*</filter>
         </filters>
      </assets>
   </resourceEncryption>

<!-- RASP - RUNTIME & ENVIRONMENT CHECKS -->

 <!-- DexProtector's environment checks for iOS detect Jailbroken devices, Emulators, Root Cloaking, connected Debuggers, 
and Hooking attempts. All of these are achieved together by a combination of the <root> and <debug> mechanisms specified in
the configuration file. The probeMethod, negativeCallback, and positiveCallback methods must be the same for both <root> and <debug>,
and DexProtector will call them simultaneously. -->

   <detect>
      <root>
<!-- We intentionally exclude the callback for a positive result in these examples. In the event of
 DexProtector detecting a rooted device or emulator, for example, the application will simply crash. For the majority 
of cases, this is the recommended approach. -->

            <!-- <positiveCheckCallback>ProbeCallbacks.positiveCallback</positiveCheckCallback> -->
            <negativeCheckCallback>ProbeCallbacks.negativeCallback</negativeCheckCallback>
            <probeMethod>MainProbeClass.probeMethod</probeMethod>
      </root>
      <debug>
            <!-- <positiveCheckCallback>ProbeCallbacks.positiveCallback</positiveCheckCallback> -->
            <negativeCheckCallback>ProbeCallbacks.negativeCallback</negativeCheckCallback>
            <probeMethod>MainProbeClass.probeMethod</probeMethod>
      </debug>
   </detect>
	
<!-- UI Protection -->

   <uiProtection/>

<!-- NETWORK SECURITY -->

   <publicKeyPinning>
      <trace>9</trace>
      <actions>block</actions>
      <network-security-config>
         <domain-config>
            <domain includeSubdomains="true">openweathermap.org</domain>
                    <pin-set expiration="2021-10-19"> <!-- Please choose the expiration date carefully. We do not recommend 
setting a date far into the future. If you issue updates once a month, please set the expiration around 2 months from the 
current date. And do not forget to change the value with each new update. This could be crucial if your private key and 
certificate become compromised. -->
						<pin digest="SHA-256">axmGTWYycVN5oCjh3GJrxWVndLSZjypDO6evrHMwbXg=</pin>
						<!--
						The pin can be generated using the following command (check and replace 
                                                server name as required):
                      openssl s_client -connect onlinebanking.mobilebank.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256
 
                      If you have a backup certificate, please use the following command to generate the pib:
                      cat <PATH_TO_CERTIFICATE> | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64       
						-->
						<!-- Backup PIN(s) -->
						<pin digest="SHA-256">NzgSaUD6ERUxuom+Xu1qVANzKf5rwE4QGlaDLc02YiY=</pin>
                    </pin-set>
         </domain-config>
      </network-security-config>
   </publicKeyPinning>

   <certificateTransparency mode="all">
      <trace>0</trace> <!-- For debugging purposes, include the <trace> node with a value of 1000 -->
      <domain includeSubdomains="true">no-sct.badssl.com</domain>
 <!-- If no additional settings are specified, DexProtector will use a list of log servers that is located in the
 distribution package. However, should you need to use your own list of log servers, you can use the logFile node 
and specify a path to your list, as follows:
      <logFile>path_to_log_list_file</logFile> -->
   </certificateTransparency>

<!-- THREAT REPORTING AND TELEMETRY (ALICE) -->

  <reportMonitoring>
    <apiKey>137feb09-f390-4f00-b43f-ebccf530adf6lt</apiKey>
    <trace>0</trace>
  </reportMonitoring>

</dexprotector>

Configuring DexProtector for libraries and SDKs (Frameworks)

Example configuration for libraries & SDKs (Frameworks)

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<dexprotector>

<!-- BUILD SETTINGS -->

   <verbose>true</verbose>

<!-- SIGNING -->

   <certificate>Apple Distribution: Licel Corporation (2N2DJJYKB2)</certificate> 

<!-- iOS SETTINGS -->

   <ios mode="all" stripBitcode="on" protectSimulator="off" swiftEnvCheckMode="off">

      <paranoidMode/> 
	
      <mobileProvisionFile>/Users/developer/my.mobileprovision</mobileProvisionFile>
	
      <!-- For Crashlytics to function with a DexProtected IPA, stripBitcode must be set to "on", 
             with <bitcodeRebuilder> included and <outputdSYMsDir> specified. Crashlytics will function
             as normal with a DexProtected xcarchive. -->

      <bitcodeRebuilder>
         <outputdSYMsDir>/Users/developer/outDsyms</outputdSYMsDir>
      </bitcodeRebuilder> 

      <bitcodeObfuscation>
         <filters>  <!-- This filter includes classes matching the specified pattern. This filter
                                will obfuscate all fields and methods in classes whose name begins with 
                                the string "SecretClass", but will leave the class name(s) unencrypted.
                                Replace the placeholder with a pattern matching the class(es) that you wish to obfuscate,
                                adding additional filters as required. -->
            <filter><![CDATA[glob:SecretClass*/*]]></filter>
         </filters>
      </bitcodeObfuscation>

  </ios>
  
<!-- CODE & RESOURCE PROTECTION -->

<!-- There is no need to specify filters for stringEncryption for iOS packages. DexProtector will encrypt strings
 in the package by default. -->

   <stringEncryption/> 

   <hideAccess mode="filters">
       <filters> <!-- This filter and those that follow include classes (and/or methods) within the package 
matching the specified patterns. Replace the placeholders with a pattern matching the class(es) that you wish to protect 
using Hide Access, and add additional filters as required. Hide Access is only necessary for Objective-C classes. -->
	  <filter><![CDATA[glob:ClassA]]></filter> 
          <filter><![CDATA[glob:ClassB*/methodA*]]></filter>
          <filter><![CDATA[glob:ClassC/methodB*]]></filter>
       </filters>
   </hideAccess>
	
   <resourceEncryption>
      <assets>
         <filters>  <!-- Replace the placeholder with a pattern matching the assets files that you wish to encrypt, 
                            and add additional filters as required. -->
            <filter>encrypt*</filter>
         </filters>
      </assets>
   </resourceEncryption>

<!-- RASP - RUNTIME & ENVIRONMENT CHECKS -->

 <!-- DexProtector's environment checks for iOS detect Jailbroken devices, Emulators, Root Cloaking, connected Debuggers, 
and Hooking attempts. All of these are achieved together by a combination of the <root> and <debug> mechanisms specified in
the configuration file. The probeMethod, negativeCallback, and positiveCallback methods must be the same for both <root> and <debug>,
and DexProtector will call them simultaneously. -->

   <detect>
      <root>
		    <!-- We intentionally exclude the callback for a positive result in these examples. In the event of
 DexProtector detecting a rooted device or emulator, for example, the application will simply crash. For the majority 
of cases, this is the recommended approach. -->

            <!-- <positiveCheckCallback>ProbeCallbacks.positiveCallback</positiveCheckCallback> -->
            <negativeCheckCallback>ProbeCallbacks.negativeCallback</negativeCheckCallback>
            <probeMethod>MainProbeClass.probeMethod</probeMethod>
      </root>
      <debug>
            <!-- <positiveCheckCallback>ProbeCallbacks.positiveCallback</positiveCheckCallback> -->
            <negativeCheckCallback>ProbeCallbacks.negativeCallback</negativeCheckCallback>
            <probeMethod>MainProbeClass.probeMethod</probeMethod>
      </debug>
   </detect>
	
<!-- UI Protection -->

   <uiProtection/>

<!-- NETWORK SECURITY -->

   <publicKeyPinning>
      <trace>9</trace>
      <actions>block</actions>
      <network-security-config>
         <domain-config>
            <domain includeSubdomains="true">openweathermap.org</domain>
                    <pin-set expiration="2021-10-19"> <!-- Please choose the expiration date carefully. We do not recommend 
setting a date far into the future. If you issue updates once a month, please set the expiration around 2 months from the 
current date. And do not forget to change the value with each new update. This could be crucial if your private key and 
certificate become compromised. -->
						<pin digest="SHA-256">axmGTWYycVN5oCjh3GJrxWVndLSZjypDO6evrHMwbXg=</pin>
						<!--
						The pin can be generated using the following command (check and replace 
                                                server name as required):
                      openssl s_client -connect onlinebanking.mobilebank.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256
 
                      If you have a backup certificate, please use the following command to generate the pib:
                      cat <PATH_TO_CERTIFICATE> | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64       
						-->
						<!-- Backup PIN(s) -->
						<pin digest="SHA-256">NzgSaUD6ERUxuom+Xu1qVANzKf5rwE4QGlaDLc02YiY=</pin>
                    </pin-set>
         </domain-config>
      </network-security-config>
   </publicKeyPinning>

   <certificateTransparency mode="all">
      <trace>0</trace> <!-- For debugging purposes, include the <trace> node with a value of 1000 -->
      <domain includeSubdomains="true">no-sct.badssl.com</domain>
 <!-- If no additional settings are specified, DexProtector will use a list of log servers that is located in the
 distribution package. However, should you need to use your own list of log servers, you can use the logFile node 
and specify a path to your list, as follows:
      <logFile>path_to_log_list_file</logFile> -->
   </certificateTransparency>

</dexprotector>