Objective-C Selector Indirection
| Plan | Platforms | MASVS |
|---|---|---|
| Team | iOS | MASVS-RESILIENCE-3 |
Overview
Objective-C Selector Indirection obfuscates selected Objective-C selector references in protected iOS builds. Use it when selector names and message-send patterns reveal too much about sensitive workflows, proprietary logic, or internal app structure.
Objective-C selectors can expose meaningful method names even after debug symbols are stripped. Selector Indirection reduces the value of that metadata while preserving expected runtime behavior for supported app code.
How It Works
During protected build processing, AppTego rewrites supported selector references so static analysis tools have a harder time mapping readable selector names to security-sensitive behavior. The app continues to use the Objective-C runtime as expected, but selected references become less useful during binary inspection.
Because this is a build-time transformation, enabling or disabling the control requires a new protected IPA.
How to Enable the Control
Navigate to Code Obfuscation from the AppTego portal, and expand the Name Obfuscation section. Under this section you will find the Objective-C Selector Indirection control. Click Enable to apply it to the next protected build.
API Configuration Example
{
"SelectorIndirection": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables objective-c selector indirection for protected builds. |
Use When
| Use case | Why it helps |
|---|---|
| Objective-C or mixed-language apps | Reduces readable selector references that remain after normal symbol stripping. |
| Sensitive business logic | Makes method-name harvesting less useful for payment, licensing, fraud, or authentication code. |
| Apps using public frameworks | Preserves necessary platform behavior while reducing selected application-level disclosure. |
| Enterprise hardening profiles | Adds deeper iOS name-obfuscation coverage beyond symbol stripping. |
Rollout Guidance
- Enable the control in Development.
- Build a protected IPA.
- Test screens and SDKs that rely on selectors, delegates, notifications, callbacks, reflection, or dynamic dispatch.
- Validate login, payments, analytics, crash reporting, deep links, push handling, and native bridge flows.
- Promote only after QA confirms the app behaves normally on physical devices.
Compatibility Notes
- Dynamic Objective-C features should be tested carefully, especially reflection,
performSelector, method swizzling, selectors stored as strings, and third-party SDK callbacks. - Some selectors may need to remain unchanged for platform or framework compatibility.
- Selector Indirection is strongest when paired with metadata reduction and string protection.
Support Matrix
| Platform | Supported Versions | Notes |
|---|---|---|
| Android | Not supported | Android name hardening uses controls such as Rename Classes and Rename Private Members. |
| iOS | All versions | Applies to supported Objective-C selector references during protected build processing. |