How to Protect Info.plist Files in iOS SDKs

What are SDK Info.plist Files?

SDK Info.plist files are specific property list files used within iOS Software Development Kits (SDKs). These files are essential for defining configuration details and settings that dictate how the SDK behaves when integrated with iOS applications. Like the more commonly known Info.plist files used in iOS apps, SDK Info.plist files are formatted in XML and serve as a collection of key-value pairs.

Key Aspects of SDK Info.plist Files:

• Configuration Settings: They store important parameters that can influence the SDK’s functions, such as version information, SDK-specific permissions, and other operational parameters.
• Structured Data: SDK Info.plist files organize data in a structured format, making it easy for both the iOS system and the applications that utilize the SDK to parse and manage.
• Integration Specifics: These files can include keys that are specific to the SDK’s integration with the app, such as hooks into app lifecycle events or environment-specific variables.

These plist files are integral to ensuring that the SDK integrates smoothly into an app’s ecosystem, providing necessary information for both the app and the SDK to operate correctly within the iOS environment.

Why Protecting SDK Info.plist files is Essential?

Encrypting SDK Info.plist files safeguard sensitive data from potential security threats. These files can contain API keys, backend service configurations, and other sensitive information that, if exposed, could lead to significant security vulnerabilities. Furthermore, unauthorized modifications to these files could compromise SDK functionality and app integrity. Common risks include:

• Unauthorized Feature Manipulation: Modifying SDK features or behavior.
• Data Leakage: Exposing sensitive information embedded within the SDK.
• Access Violations: Unauthorized changes to permissions and settings.

Appdome’s Protect Plist Feature for SDKs

Appdome’s Protect Plist feature explicitly addresses the security needs of SDK Info.plist files by encrypting them to prevent unauthorized access and modifications. This feature is designed to encrypt all plist files related to the SDK, excluding those necessary for app operation, such as app signing (e.g., entitlements and provisioning profiles).

Prerequisites for Using Protect Info.plist with Appdome SDKProtect™

Before starting the process of securing your SDK with Appdome, ensure you have the following:

• • Appdome account (create a free Appdome account here)
  • A license for SDKProtect™
  • A valid iOS .xcframework.zip file

Protect Info.plist on iOS apps using Appdome:

On Appdome, follow these three simple steps to create self-defending iOS SDKs that Encrypt Info.plist.

1. Upload a Mobile SDK to Appdome.
   • Upload Method: Appdome Console or DEV-API
   • iOS Formats: .xcframework.zip
   • Protect Info.plist Compatible With Obj-C and Swift
2. Build the feature: Protect Info.plist.

Build Protect Info.plist using Appdome’s DEV-API:

1. • 1. Create and name the Fusion Set (security template) that will contain the Encrypt Info.plist feature as shown below:
        
        Figure 1: Fusion Set that will contain the Encrypt Info.plist feature
        Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required).
     2. To add the Encrypt Info.plist feature to this Fusion Set, follow the steps in the section “Building the Encrypt Info.plist feature via Appdome Console” of this article.
     3. Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set. Copy the Fusion Set ID from the Fusion Set Detail Summary (as shown below):
        
        Figure 2: Fusion Set Detail Summary
        Note: Annotating the Fusion Set to identify the protection(s) selected is optional only (not mandatory).
     4. Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, App Center, Jenkins, Travis, Team City, Circle CI, or other systems:
        • Build an API for the app – for instructions, see the tasks under Appdome API Reference Guide
        • Look for sample APIs in Appdome’s GitHub Repository

Build the Encrypt Info.plist protection using Appdome Console:

1. Where: Inside the Appdome Console, go to Build SDKProtect™ Tab > SDK Threat-Shielding section.
2. How: Toggle (turn ON) Protect Info.plist, as shown below:
   
   Figure 3: Encrypt Info.plist option
3. When you select the Encrypt Info.plist you’ll notice that the Fusion Set you created now bears the icon of the protection category that contains Encrypt Info.plist
   Figure 4: Fusion Set that displays the newly added Encrypt Info.plist protection
4. Click Build My App at the bottom of the Build Workflow (shown in Figure 3).