Skip to content

iOS, Bitcode and App Security

Apple phone, tablet and laptop displaying app icons
Six years ago, Apple added support for Bitcode with Xcode 7. Still, after all this time, there are many misconceptions about what it means for developers and their iOS apps. Here, we’ll discuss how “bitcode enabling” your app can affect its overall security.

What is Bitcode?

When a developer compiles code to upload into the AppStore, it must be converted from the human-readable source code to machine code. Bitcode is an Intermediate Representation (IR) of your code – somewhere between source code and machine code. According to Apple, bitcode “allows the AppStore to compile your app optimized for the target devices and operating system versions, and may recompile it later to take advantage of specific hardware, software, or compiler changes.” Essentially, this means that a bitcode enabled application can be optimized for the particular device it is being installed on. Not only that, but it will always be optimized with the latest and greatest compiler technology. Bitcode enabled applications guarantee that the end user will always have the best possible version of your app.

How Bitcode is Compiled

The compilers* built into Apple’s development environment, Xcode, take the source code and convert it to a format called LLVM IR. This step is performed by the compiler front end. Then, a compiler backend takes the LLVM IR and converts it into machine code—ready to execute on the device of choice. Diagram of a bitcode compiler pipeline For a bitcode enabled app, the LLVM IR is packaged with the application when it is published to the AppStore. The compiler backend is then executed by Apple as part of the AppStore infrastructure. From a developer’s point of view, bitcode enabling an app is straightforward – it’s a single build option. Screenshot of a developer bitcode enabling an app So why wouldn’t you take advantage of this targeted optimization offered by Apple? The answer is dependency chains – every component an app or framework consumes also needs to be bitcode enabled. If your app is integrating with older software libraries that aren’t bitcode enabled, you have two choices: You can either turn bitcode off or replace the libraries. Often, the easier option is simply to turn bitcode off. This is likely the reason Apple hasn’t yet mandated bitcode on all iOS apps. However, bitcode is mandatory for tvOS and watchOS apps. Apple requires these to be published as bitcode enabled apps because the dependency chains of these newer operating systems have been fully bitcode enabled from day one. Unlike iOS, no migration is required for tvOS and watchOS apps.

Do You Trust Apple?

When it comes to security, the closer your code executes to hardware, the more difficult it is to reverse engineer. Thus, an intermediate format like bitcode is easier for an attacker to decipher and understand. For security’s sake, this is often a good reason to turn off bitcode. However, it shouldn’t be a concern because bitcode is never installed on a device. In fact, it never even leaves Apple’s AppStore. As long as you trust Apple (and if you don’t, why are you publishing an app on their platform?) then bitcode should not be considered a security concern.

The Importance of Binary Integrity

Ensuring code executes exactly as the developer intends is key to its security. If an attacker can modify the code, it is easier to reverse engineer and easier to weaponize. Anti-tamper technology checks the code to ensure it has not been modified. Enterprise-grade solutions will interweave a series of checks with your functional code. This creates a dynamic “check network” that constantly evaluates your code as it runs, making sure there are no differences between what is executing and what you intended. Bitcode poses a challenge to anti-tamper technology since it enables Apple to change the executing code on a per device basis. The fact that the executing code can also change over time as Apple improve the compilers only adds to the security challenge. With the code changing, where does the anti-tamper get its reference picture so it can spot differences? To solve this challenge and keep bitcode secure, Verimatrix launched Elastic Anti-Tamper technology. For the first time, bitcode enabled apps can be protected with enterprise-code anti-tamper solutions. This adds to Verimatrix’s suite of proven Shielding products – giving our customers confidence in their iOS app security whether they bitcode enable their app or not. *Clang for C, C++ and Objective-C, SwiftC for Swift
Do you have questions about applications and content security?

Book a call with one of our experts

BOOK A CALL
Want to keep up with Verimatrix news?

Sign up to the newsletter

SIGN UP

View by Category

Recent Posts

Want to take a deep dive?
VIEW EBOOKS

Connect with us

Facebook Twitter Youtube

Related Posts

Verimatrix Data Shows Both Russians and Ukrainians Turning to VPNs

Verimatrix Data Shows Both Russians and Ukrainians Turning to VPNs

March 28, 2022
Are you undermining your VA/PT strategy?

Are you undermining your VA/PT strategy?

March 24, 2022
Why Customers Love Verimatrix App Shield Pro

Why Customers Love Verimatrix App Shield Pro

January 12, 2022
Why good cyber security is good customer service?

Why good cyber security is good customer service?

November 23, 2021
Top discussions on security trends at Money 20/20

Top discussions on security trends at Money 20/20

November 2, 2021
Think tank thinking – learning mobile app security from the experts

Think tank thinking – learning mobile app security from the experts

November 22, 2021
At the Edge of Esports: Team 7AM Speaks

At the Edge of Esports: Team 7AM Speaks

June 14, 2021
What Every Developer Should Know About Repackaging Attacks

What Every Developer Should Know About Repackaging Attacks

June 21, 2021
Is Your Third-Party and Legacy Software Vulnerable?

Is Your Third-Party and Legacy Software Vulnerable?

June 14, 2021
Spoofing Attacks in Gaming: Popular Methods for Hacks and Cheats

Spoofing Attacks in Gaming: Popular Methods for Hacks and Cheats

April 26, 2021
In the Rush to Develop Vaccine Passports, How Do You Prioritize App Security?

In the Rush to Develop Vaccine Passports, How Do You Prioritize App Security?

April 26, 2021
The Future of Payment Acceptance

The Future of Payment Acceptance

April 15, 2021

Anti-Piracy

Streamkeeper Cloud Solutions
On Prem Solutions

Threat Defense

App & Client Protection
Endpoint Defense

Techniques

Solutions

Platform

Resources

About Us

Pricing

EN

Talk to specialist
This site is registered on wpml.org as a development site.