Open Tom3652 opened 1 year ago
A current workaround is to archive with Xcode, and also run the flutter
command.
Once the archive is created with Xcode, simply replace the binary by the flutter binary (it's working because i have released a new version of my MacOS app obfuscated)
We probably need separate instructions for a macOS app on the website.
Aside from the macOS releasing instructions, we should ensure that the Dart obfuscation instructions are accurate and work for macOS. It may be worth noting that platform-specific instructions can be found in the platform-specific releasing guides.
can someone shed some light here? @gspencergoog
I want to obfuscate my macOS app & then notarize it and there doesn't seem to be a way to do that.
@Tom3652 described the problem perfectly. Does the Flutter team need any additional information to provide an answer?
Moreover there are no clear instructions to test that the obfuscation is applied to the binary. I'm using a command line utility used by hackers "rizin" to inspect the binary. I can't notice any difference between a flutter debug build, a flutter release build and a flutter release build with --obfusate flag.
I can see all the strings & function names from native code, but none from dart. I see a lot of "garbage" like this.
CiCiCCCCC BxBxBLBLB#B#B AsAsAEAEA @\@\@-@-@ ?g?g?5?5?
f>f>0>0> =X=X=!=!=
p.s. my flutter app (windows version) has already been cracked: https://audioz.download/software/win/245379-download_hiits-studio-130.html
Please clarify the topic of obfuscation & security for desktop apps (both macOS & Windows), because it is important!
can someone shed some light here? @gspencergoog
I want to obfuscate my macOS app & then notarize it and there doesn't seem to be a way to do that.
@Tom3652 described the problem perfectly. Does the Flutter team need any additional information to provide an answer?
Moreover there are no clear instructions to test that the obfuscation is applied to the binary. I'm using a command line utility used by hackers "rizin" to inspect the binary. I can't notice any difference between a flutter debug build, a flutter release build and a flutter release build with --obfusate flag.
I can see all the strings & function names from native code, but none from dart. I see a lot of "garbage" like this.
CiCiCCCCC BxBxBLBLB#B#B AsAsAEAEA @@@-@-@ ?g?g?5?5?
f>f>0>0> =X=X=!=!=
- Does flutter obfuscate the dart code by default, no matter the type of build? (i.e. Runner from Xcode, or using flutter build)?
- If the --obfuscate flag is indeed needed, then how can we test that it works?
- If the --obfuscate flag is needed and it works, how can one upload the "result" of the flutter build --obfuscate to AppStore ?
p.s. my flutter app (windows version) has already been cracked: https://audioz.download/software/win/245379-download_hiits-studio-130.html
Please clarify the topic of obfuscation & security for desktop apps (both macOS & Windows), because it is important!
In the meantime I found out i was inspecting the wrong binary. I can see all the strings declared in my dar code, and none of my dart functions, regardless of whether or not I build with --obfuscate flag.
So most of my question remains the same. How to test obfuscation works? Will the strings remain in clear text even if obfuscation is applied?
I have already a running MacOS app live on the App Store and i have followed these steps to release it.
I have also run this command to obfuscate my dart code :
However, when the documentation says :
Clicking on Product > Archive simply creates a new archive from Xcode, and doesn't use the previously created inside the
/Users/foxtom/StudioProjects/Project/build
folder.So, the documentation states that we can obfuscate macos apps, but to upload them we can't use the App Transporter from Apple as we can do for
.ipa
and also have to create a new archive from Xcode which is not obfuscated.Thanks for your understanding