Mad SDK obfuscation protects sensitive text data inside injected binaries and frameworks by transforming readable strings into unreadable bytecode. It scans the target binary for plain-text elements such as API keys, URL endpoints, authentication tokens, database connection strings and other texts hard-coded in the code, and then encrypts or encodes them into an obfuscated format.
When using the CLI, the client can specify whether only CFStrings, CStrings or both should be obfuscated, and which SDKs should be targeted. By default, the main executable of iOS apps protected by Mad is the target of string obfuscation.
String obfuscation can be enabled or disabled based on the value StringObfuscation in the file config.plist.
Whitelisted strings can be defined in the file config.plist in the array SDKObfuscationWhitelistedStrings.
Limits for the number of strings can be defined in this section.
At runtime, the original strings are dynamically decrypted in memory only when needed, preventing static analysis tools from easily extracting sensitive information.
This adds an extra layer of protection against reverse engineering, making it significantly harder for attackers to discover embedded credentials or internal API structures just by inspecting the binary.
