SecurityKit

Overview

SecurityKit is a lightweight, easy-to-use Swift library that helps protect iOS apps according to the OWASP MASVS standard, chapter v8, providing an advanced security and anti-tampering layer.

Installation

SecurityKit is available with Swift Package Manager.

The Swift Package Manager is a tool for automating the distribution of Swift code and is integrated into the swift compiler.

Once you have your Swift package set up, adding SecurityKit as a dependency is as easy as adding it to the dependencies value of your Package.swift.

dependencies: [
    .package(url: "https://github.com/FuturraGroup/SecurityKit.git", .branch("main"))
]

Usage

Update Info.plist

For jailbreak detection to work correctly, you need to update your main Info.plist.

<key>LSApplicationQueriesSchemes</key>
<array>
    <string>cydia</string>
    <string>undecimus</string>
    <string>sileo</string>
    <string>zbra</string>
    <string>filza</string>
</array>

Jailbreak detection

• This type method is used to detect the true/false jailbreak status

if SecurityKit.isJailBroken() {
    print("This device is jailbroken")
} else {
    print("This device is not jailbroken")
}

• This type method is used to detect the jailbreak status with a message which jailbreak indicator was detected

let jailbreakStatus = SecurityKit.isJailBrokenWithErrorMessage()
if jailbreakStatus.jailbroken {
    print("This device is jailbroken")
    print("Because: \(jailbreakStatus.errorMessage)")
} else {
    print("This device is not jailbroken")
}

• This type method is used to detect the jailbreak status with a list of failed detects

let jailbreakStatus = SecurityKit.isJailBrokenWithErrorDetects()
if jailbreakStatus.jailbroken {
    print("This device is jailbroken")
    print("The following checks failed: \(jailbreakStatus.errorDetects)")
}

XOR String obfuscation

// String Encryption
let encrypt = SecurityKit.stringEncryption(plainText: "plainText", encryptionKey: "key")

// String Decryption
let decrypt = SecurityKit.stringDecryption(cypherText: encrypt, decryptionKey: "key")

AES-GCM encryption

• AES-256-GCM authenticated encryption via CryptoKit (iOS 13+). Provides both confidentiality and integrity.

let secret = "sensitive data".data(using: .utf8)!

// Encrypt
if let encrypted = SecurityKit.aesEncrypt(data: secret, key: "myPassphrase") {
    print("Encrypted: \(encrypted.base64EncodedString())")

    // Decrypt
    if let decrypted = SecurityKit.aesDecrypt(data: encrypted, key: "myPassphrase") {
        let string = String(data: decrypted, encoding: .utf8)
        print("Decrypted: \(string ?? "")")
    }
}

View Protection

• Protecting a specific UIView from being screenshotted

ViewProtection.shared.makeProtection(for: self.view)

• Remove protection from UIView

ViewProtection.shared.removeScreenProtection(for: self.view)

Screen recording protection

• Screen recording protection, the screen will be completely blurred

BlurScreen.shared.start()

• Stop screen recording protection

BlurScreen.shared.stop()

Simulator detection

• This type method is used to detect if application is run in simulator

if SecurityKit.isSimulator() {
    print("app is running on the simulator")
} else {
    print("app is not running on the simulator")
}

Reverse engineering tools detection

• This type method is used to detect if there are any popular reverse engineering tools installed on the device

if SecurityKit.isReverseEngineered() {
    print("This device has reverse engineering tools")
} else {
    print("This device does not have reverse engineering tools")
}

• This type method is used to detect the reverse engineered status with a list of failed detects

let reStatus = SecurityKit.isReverseEngineeredWithErrorDetect()
if reStatus.reverseEngineered {
    print("SecurityKit: This device has evidence of reverse engineering")
    print("SecurityKit: The following detects failed: \(reStatus.errorDetect)")
}

Debugger detection

• This type method is used to detect if application is being debugged

let isDebugged: Bool = SecurityKit.isDebugged()

• This type method is used to deny debugger and improve the application resillency

SecurityKit.denyDebugger()

• This method is used to detect if application was launched by something other than LaunchD (i.e. the app was launched by a debugger)

let isNotLaunchD: Bool = SecurityKit.isParentPidUnexpected()

• This type method is used to detect if there are any breakpoints at the function

func denyDebugger() {
    // add a breakpoint at here to test
}

typealias FunctionType = @convention(thin) ()->()

let func_denyDebugger: FunctionType = denyDebugger   // `: FunctionType` is a must
let func_addr = unsafeBitCast(func_denyDebugger, to: UnsafeMutableRawPointer.self)
let hasBreakpoint: Bool = SecurityKit.hasBreakpointAt(func_addr, functionSize: nil)

• This type method is used to detect if a watchpoint is being used. A watchpoint is a type of breakpoint that 'watches' an area of memory associated with a data item.

// Set a breakpoint at the testWatchpoint function
func testWatchpoint() -> Bool{
    // lldb: watchpoint set expression ptr
    var ptr = malloc(9)
    // lldb: watchpoint set variable count
    var count = 3
    return SecurityKit.hasWatchpoint()
}

• This type method is used to detect if a debugger has registered exception ports on the current task

let hasExceptionPort: Bool = SecurityKit.isExceptionPortSet()

Integrity detection

• This type method is used to detect if application has been tampered with

if SecurityKit.isTampered(
    [.bundleID("com.app.bundle"),
     .mobileProvision("your-mobile-provision-sha256-value")]
).result {
    print("SecurityKit: I have been Tampered.")
} else {
    print("SecurityKit: I have not been Tampered.")
}

• This type method is used to get the SHA256 hash value of the executable file in a specified image

// Manually verify SHA256 hash value of a loaded dylib
if let hashValue = SecurityKit.getMachOFileHashValue(.custom("SecurityKit")),
   hashValue == "6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc" {
    print("SecurityKit: I have not been Tampered.")
} else {
    print("SecurityKit: I have been Tampered.")
}

• This type method is used to find all loaded dylibs in the specified image

if let loadedDylib = SecurityKit.findLoadedDylibs() {
    print("SecurityKit: Loaded dylibs: \(loadedDylib)")
}

Code signature detection

• This type method is used to detect if the app's code signature directory has been modified or removed

if SecurityKit.isCodeSignatureModified() {
    print("Code signature has been tampered with")
}

• This type method is used to detect if the app is running as a development build

if SecurityKit.isDevelopmentBuild() {
    print("This is a development build")
}

• This type method is used to verify the team identifier from the embedded provisioning profile

if SecurityKit.verifyTeamIdentifier("ABCDEF1234") {
    print("Team identifier is valid")
} else {
    print("Team identifier mismatch — app may have been re-signed")
}

MSHookFunction detection

• This type method is used to detect if function_address has been hooked by MSHook

func denyDebugger() { ... }

typealias FunctionType = @convention(thin) ()->()

let func_denyDebugger: FunctionType = denyDebugger // `: FunctionType` is must
let func_addr = unsafeBitCast(func_denyDebugger, to: UnsafeMutableRawPointer.self)
let isMSHooked: Bool = SecurityKit.isMSHooked(func_addr)

• This type method is used to get original function_address which has been hooked by MSHook

func denyDebugger(value: Int) { ... }

typealias FunctionType = @convention(thin) (Int)->()

let funcDenyDebugger: FunctionType = denyDebugger
let funcAddr = unsafeBitCast(funcDenyDebugger, to: UnsafeMutableRawPointer.self)

if let originalDenyDebugger = SecurityKit.denyMSHook(funcAddr) {
    // Call orignal function with 1337 as Int argument
    unsafeBitCast(originalDenyDebugger, to: FunctionType.self)(1337)
} else {
    denyDebugger()
}

FishHook detection

• This type method is used to rebind symbol which has been hooked by fishhook

SecurityKit.denySymbolHook("$s10Foundation5NSLogyySS_s7CVarArg_pdtF") // Foudation's NSlog of Swift
NSLog("Hello Symbol Hook")

SecurityKit.denySymbolHook("abort")
abort()

• This type method is used to rebind symbol which has been hooked at one of image by fishhook

for i in 0..<_dyld_image_count() {
    if let imageName = _dyld_get_image_name(i) {
        let name = String(cString: imageName)
        if name.contains("SecurityKit"), let image = _dyld_get_image_header(i) {
            SecurityKit.denySymbolHook("dlsym", at: image, imageSlide: _dyld_get_image_vmaddr_slide(i))
            break
        }
    }
}

RuntimeHook detection

• This type method is used to detect if objc call has been RuntimeHooked by for example Flex

class SomeClass {
    @objc dynamic func someFunction() { ... }
}

let dylds = ["SecurityKit", ...]

let isRuntimeHook: Bool = SecurityKit.isRuntimeHook(
    dyldAllowList: dylds,
    detectionClass: SomeClass.self,
    selector: #selector(SomeClass.someFunction),
    isClassMethod: false
)

System proxy and VPN detection

• This type method is used to detect if HTTP proxy or VPN was set in the iOS Settings.

let isProxied: Bool = SecurityKit.isProxied()

Lockdown mode detection

• This type method is used to detect if the device has lockdown mode turned on.

let isLockdownModeEnable: Bool = SecurityKit.isLockdownModeEnable()

Environment variables detection

• This type method is used to detect suspicious environment variables commonly used for code injection (e.g. DYLD_INSERT_LIBRARIES, SUBSTRATE_INSERT_LIBRARIES)

if SecurityKit.hasSuspiciousEnvironment() {
    print("Suspicious environment variables detected")
}

Network security detection

• This type method is used to detect if SSL Kill Switch or similar SSL unpinning tools are loaded

if SecurityKit.isSSLKillSwitchLoaded() {
    print("SSL Kill Switch detected — network traffic may be intercepted")
}

• This type method is used to detect if App Transport Security (ATS) is disabled in Info.plist

if SecurityKit.isATSDisabled() {
    print("ATS is disabled — insecure HTTP connections are allowed")
}

Device fingerprint

• This type method generates a unique, stable SHA256 device fingerprint based on vendor ID, Keychain-persisted UUID, and hardware model

let fingerprint: String = SecurityKit.getDeviceFingerprint()
print("Device fingerprint: \(fingerprint)")

Secure Storage

• A Keychain wrapper for securely storing sensitive data with configurable accessibility levels

let storage = SecureStorage()

// Save a string
storage.save("secret-token", for: "auth_token")

// Load a string
if let token = storage.loadString(for: "auth_token") {
    print("Token: \(token)")
}

// Save raw data
let data = "sensitive".data(using: .utf8)!
storage.save(data, for: "secret_data")

// Load raw data
if let loaded = storage.loadData(for: "secret_data") {
    print("Data: \(loaded)")
}

// Check existence
let exists: Bool = storage.exists(key: "auth_token")

// Delete a single item
storage.delete(key: "auth_token")

// Delete all items for this service
storage.deleteAll()

• Custom access levels for different security requirements

// Most secure — requires passcode, bound to this device
let secure = SecureStorage(accessLevel: .whenPasscodeSetThisDeviceOnly)

// Available after first unlock, even when locked (for background tasks)
let background = SecureStorage(accessLevel: .afterFirstUnlockThisDeviceOnly)

// Custom service identifier
let custom = SecureStorage(service: "com.myapp.credentials", accessLevel: .whenUnlockedThisDeviceOnly)

Memory Protection

• Securely wipe sensitive data from memory to prevent forensic recovery

var secretData = "password123".data(using: .utf8)!
MemoryProtection.wipe(&secretData)
// secretData is now empty

var secretBytes: [UInt8] = [0x41, 0x42, 0x43]
MemoryProtection.wipe(&secretBytes)
// secretBytes is now empty

var secretString = "my-api-key"
MemoryProtection.wipe(&secretString)
// secretString is now ""

Clipboard Protection

• Clear the clipboard immediately or after a delay to prevent sensitive data leakage

// Clear clipboard immediately
ClipboardProtection.shared.clearClipboard()

// Clear clipboard after 30 seconds (default)
ClipboardProtection.shared.clearAfterDelay()

// Clear clipboard after custom delay
ClipboardProtection.shared.clearAfterDelay(10)

// Check if clipboard has content
let hasContent: Bool = ClipboardProtection.shared.hasContent()

// Cancel pending auto-clear
ClipboardProtection.shared.stopAutoClear()

Contribute

Contributions for improvements are welcomed. Feel free to submit a pull request to help grow the library. If you have any questions, feature suggestions, or bug reports, please send them to Issues.

License

MIT License

Copyright (c) 2025 Futurra Group

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.