Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explain how archiving and obfuscation works for a macOS release build #9046

Open
Tom3652 opened this issue Apr 10, 2023 · 6 comments
Open

Explain how archiving and obfuscation works for a macOS release build #9046

Tom3652 opened this issue Apr 10, 2023 · 6 comments
Labels
dev.deployment Relates to deploying Flutter app section of Flutter.dev devos.macOS Relates to developing apps on macOS platform e2-days Effort: < 5 days p2-medium Necessary but not urgent concern. Resolve when possible. target.macOS Target apps on the macOS platform

Comments

@Tom3652
Copy link

Tom3652 commented Apr 10, 2023

I have already a running MacOS app live on the App Store and i have followed these steps to release it.

I have also run this command to obfuscate my dart code :

flutter build macos --obfuscate --release --split-debug-info=/Users/foxtom/StudioProjects/MyProject/build --build-name=1.0.4 --build-number=4 

However, when the documentation says :

Open Xcode and select Product > Archive to open the archive created in the previous step.

Clicking on Product > Archive simply creates a new archive from Xcode, and doesn't use the previously created inside the /Users/foxtom/StudioProjects/Project/build folder.

So, the documentation states that we can obfuscate macos apps, but to upload them we can't use the App Transporter from Apple as we can do for .ipa and also have to create a new archive from Xcode which is not obfuscated.

Thanks for your understanding

@Tom3652 Tom3652 changed the title [macos] Documentation is unclear regarding archiving and obfuscation [macOS] Documentation is unclear regarding archiving and obfuscation for a release build Apr 10, 2023
@Tom3652
Copy link
Author

Tom3652 commented Apr 17, 2023

A current workaround is to archive with Xcode, and also run the flutter command.

Once the archive is created with Xcode, simply replace the binary by the flutter binary (it's working because i have released a new version of my MacOS app obfuscated)

@gspencergoog
Copy link
Contributor

We probably need separate instructions for a macOS app on the website.

@gspencergoog gspencergoog transferred this issue from flutter/flutter Jul 13, 2023
@atsansone atsansone changed the title [macOS] Documentation is unclear regarding archiving and obfuscation for a release build Explain how archiving and obfuscation works for a macOS release build Jul 14, 2023
@atsansone atsansone added p2-medium Necessary but not urgent concern. Resolve when possible. e2-days Effort: < 5 days devos.macOS Relates to developing apps on macOS platform target.macOS Target apps on the macOS platform dev.deployment Relates to deploying Flutter app section of Flutter.dev st.triage.ltw labels Jul 14, 2023
@cbracken
Copy link
Member

cbracken commented Aug 1, 2023

Aside from the macOS releasing instructions, we should ensure that the Dart obfuscation instructions are accurate and work for macOS. It may be worth noting that platform-specific instructions can be found in the platform-specific releasing guides.

@alexvoina
Copy link

can someone shed some light here? @gspencergoog

I want to obfuscate my macOS app & then notarize it and there doesn't seem to be a way to do that.

@Tom3652 described the problem perfectly. Does the Flutter team need any additional information to provide an answer?

Moreover there are no clear instructions to test that the obfuscation is applied to the binary. I'm using a command line utility used by hackers "rizin" to inspect the binary. I can't notice any difference between a flutter debug build, a flutter release build and a flutter release build with --obfusate flag.

I can see all the strings & function names from native code, but none from dart. I see a lot of "garbage" like this.

CiCiCCCCC
BxBxBLBLB#B#B
AsAsAEAEA
@@@-@-@
?g?g?5?5?

f>f>0>0>
=X=X=!=!=

  1. Does flutter obfuscate the dart code by default, no matter the type of build? (i.e. Runner from Xcode, or using flutter build)?
  2. If the --obfuscate flag is indeed needed, then how can we test that it works?
  3. If the --obfuscate flag is needed and it works, how can one upload the "result" of the flutter build --obfuscate to AppStore ?

p.s. my flutter app (windows version) has already been cracked:
https://audioz.download/software/win/245379-download_hiits-studio-130.html

Please clarify the topic of obfuscation & security for desktop apps (both macOS & Windows), because it is important!

@alexvoina
Copy link

can someone shed some light here? @gspencergoog

I want to obfuscate my macOS app & then notarize it and there doesn't seem to be a way to do that.

@Tom3652 described the problem perfectly. Does the Flutter team need any additional information to provide an answer?

Moreover there are no clear instructions to test that the obfuscation is applied to the binary. I'm using a command line utility used by hackers "rizin" to inspect the binary. I can't notice any difference between a flutter debug build, a flutter release build and a flutter release build with --obfusate flag.

I can see all the strings & function names from native code, but none from dart. I see a lot of "garbage" like this.

CiCiCCCCC BxBxBLBLB#B#B AsAsAEAEA @@@-@-@ ?g?g?5?5?

f>f>0>0>
=X=X=!=!=

  1. Does flutter obfuscate the dart code by default, no matter the type of build? (i.e. Runner from Xcode, or using flutter build)?
  2. If the --obfuscate flag is indeed needed, then how can we test that it works?
  3. If the --obfuscate flag is needed and it works, how can one upload the "result" of the flutter build --obfuscate to AppStore ?

p.s. my flutter app (windows version) has already been cracked: https://audioz.download/software/win/245379-download_hiits-studio-130.html

Please clarify the topic of obfuscation & security for desktop apps (both macOS & Windows), because it is important!

In the meantime I found out i was inspecting the wrong binary. I can see all the strings declared in my dar code, and none of my dart functions, regardless of whether or not I build with --obfuscate flag.

So most of my question remains the same. How to test obfuscation works? Will the strings remain in clear text even if obfuscation is applied?

@Tom3652
Copy link
Author

Tom3652 commented Dec 31, 2024

Can anyone in the Flutter team answer the question please ?

It will allow everyone to see an answer on this issue while you are updating the documentation, which takes a very long time and prevent us from releasing our apps the way we want.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dev.deployment Relates to deploying Flutter app section of Flutter.dev devos.macOS Relates to developing apps on macOS platform e2-days Effort: < 5 days p2-medium Necessary but not urgent concern. Resolve when possible. target.macOS Target apps on the macOS platform
Projects
None yet
Development

No branches or pull requests

6 participants