Encrypt Unicode Strings
| Plan | Platforms | MASVS |
|---|---|---|
| Team | iOS | MASVS-RESILIENCE-3 |
Overview
Encrypt Unicode Strings protects supported UTF-16 and wide-string content in protected iOS builds. Use it when customer-facing text, localized values, identifiers, API paths, feature labels, or sensitive non-ASCII strings should not be readable through simple binary inspection.
This control complements Encrypt Strings. Encrypt Strings covers general string literals across Android and iOS, while Encrypt Unicode Strings focuses on iOS string formats that are commonly exposed as UTF-16 content.
How It Works
During protected build creation, AppTego identifies supported Unicode string content in the iOS artifact and stores it in an encrypted form. The protected app restores the value only when the app needs it at runtime, so normal app behavior is preserved while static inspection produces encrypted data instead of readable text.
The control is applied during the build pipeline. Changing it requires creating a new protected build and validating the resulting IPA.
How to Enable the Control
Navigate to Code Obfuscation from the AppTego portal, and expand the Code And String Protection section. Under this section you will find the Encrypt Unicode Strings control. Click Enable to apply it to the next protected build.
API Configuration Example
{
"EncryptUStrings": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables encrypt unicode strings for protected builds. |
Use When
| Use case | Why it helps |
|---|---|
| Localized apps | Reduces readable localized strings that may expose features, routes, or internal workflow names. |
| Sensitive customer copy | Keeps regulated, support, or enforcement wording out of simple string dumps. |
| High-value iOS apps | Adds another layer of resistance for teams already using symbol and metadata reduction. |
| Non-ASCII string content | Protects string forms that may not be covered by basic ASCII-focused inspection. |
Rollout Guidance
- Enable the control in Development.
- Build a protected IPA.
- Test launch, login, localization, feature flags, support copy, and any screens that render dynamic or translated text.
- Validate crash reporting, analytics, and support diagnostics still show the information your team needs.
- Promote to Staging and Production only after QA verifies the protected build on physical devices.
Compatibility Notes
- Apps with heavy localization should test every supported language and region.
- Runtime decryption adds a small overhead when protected strings are accessed.
- Strings that must remain visible for platform behavior, framework compatibility, or runtime lookup may be preserved by AppTego.
- Crash and analytics tools may show protected string values differently during static artifact inspection; runtime app behavior should remain unchanged.
Support Matrix
| Platform | Supported Versions | Notes |
|---|---|---|
| Android | Not supported | Use Encrypt Strings for Android string protection. |
| iOS | All versions | Protects supported UTF-16 and wide-string content during protected build processing. |