Compilation Instructions for iOS

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Required Files

The Veracode Platform requires all binary executables and all required libraries for the application.

This compilation guidance covers native iOS applications developed using Objective-C and Swift. For support for applications developed with JavaScript, please refer to the guidance for PhoneGap, Titanium, Xamarin, and React Native.

Supported iOS Platforms and Compilers

Language Platform Version IDE
Objective-C, C/C++, Swift 3.x, 4.x, 5.x (compiled as bitcode) iOS iOS 11-12 Xcode 9.x-10.2.x

The following instructions provide specific guidance on how to use Xcode to configure the scan settings for your iOS application so Veracode can scan it, and how to use Apple's Xcode utility to compile iOS applications for Veracode via the command line. Veracode also supports analyzing applications compiled with the PhoneGap, Titanium, and Xamarin cross-platform development frameworks.

Veracode can scan only iPhone or iPad applications compiled with debug symbols. Providing debug scans of iOS application code enables the Veracode Platform to provide source file and line number information about the location of flaws found.

Compilation Guidance for Xcode 9.x-10.1.x for iOS 11 and 12

Note: Veracode requires that all components of iOS applications support bitcode. Veracode no longer provides support for applications targeted for earlier versions of iOS or built with earlier versions of Xcode.
Veracode offers a mobile application packager for Xcode that includes a CLI tool that can help compile and package iOS applications built with Xcode 9.x or later. View the instructions on installing and using the Veracode Mobile Application Packager Command-Line Tool here.

The following settings are necessary for Veracode to analyze your application, and do not affect any project-specific settings that your application may require.

To test applications built for this version of Xcode:

  1. Launch Xcode, and select the Project and Signing Profile.
  2. In the Project Navigator, select the Project and its target to display the project editor.
  3. Go to Build Settings and select All instead of Basic.
  4. Go to Build Settings > Build Options > Debug Information Format and set the values to DWARF with dSYM file.
  5. Go to Build Settings > Build Options > Enable Bitcode and set the value to Yes.
  6. Select Product > Scheme > Edit Scheme, click Archive.
  7. For Build Configuration, select Debug.
  8. From the Xcode project editor, choose Generic iOS Device from the Scheme menu.
  9. Go to the Product menu option and select Archive.
  10. After the archiving process is complete, an Xcode Organizer is displayed with your archive highlighted.
  11. Right-click the project and choose Show in Finder.

Use xcodebuild with the parameters shown in the following example to compile your application from the command line:

xcodebuild archive -project MyApp.xcodeproj -scheme MyApp -destination generic/platform=iOS DEBUG_INFORMATION_FORMAT=dwarf-with-dsym ENABLE_BITCODE=YES
If you compile your application from the command line, you still must set the archive build configuration in the project scheme to Debug. To set the archive build configuration, go to Product > Scheme > Edit Scheme > Archive > Build Configuration > and select Debug.

After you compile your application, you must package the archive according to the packaging guidance.

If you are using the Cocoapods dependency manager, you can add the following snippet to the bottom of your podfile to automatically enable bitcode for your project dependencies.

  1. Add the following snippet to your podfile:
    post_install do |installer|   
    installer.pods_project.targets.each do |target|       
    target.build_configurations.each do |config|         
    config.build_settings['ENABLE_BITCODE'] = 'YES'    
    end  
    end 
    end 
  2. Run this command in the terminal:
    > cd <project_home_dir> && pod install

Packaging Guidance

To submit your iOS application to the Veracode Platform, Veracode requires that you package your application as a compressed file with an extension of .bca and a specific file structure, which contains debug (dSYM) information for the application. You must manually create the package because Xcode does not bundle the debug information automatically.

Veracode offers a mobile application packager for Xcode that can help package iOS applications built with Xcode 9.x or later. Veracode recommends you use this tool to easily prepare your application for analysis on the Veracode Platform. View the instructions on installing and using the Veracode Mobile Application Packager here.

If you are unable to package your application using the Veracode Mobile Application Packager, you can package your application manually using the following instructions:

  1. Navigate to the Xcode archive that contains the compiled iOS application. The archive is usually located in:

    ~/Library/Developer/Xcode/Archives

  2. In macOS, right-click the archive and select Show Package Contents.
    Note: If you are working with this archive on a computer that does not have Xcode installed, navigate to the archives folder, and you have the ability to open the XCARCHIVE file as a folder.
  3. Expand the Products folder and select the Applications folder.
  4. Move the Applications folder out of the Projects folder, and place it in the parent directory.
  5. Rename the Applications folder Payload.
  6. Delete the Products folder, so that the final directory is structured similar to this example:

  7. Create a ZIP archive containing the Payload folder: highlight all items in the directory, right-click, and select Compress.

    When your compression is complete, your directory should look similar to this example:



  8. Right-click the file Archive.zip, and select Get Info.
  9. Under Name & Extension, rename the archive to <project title>.bca.

  10. When prompted, click Use .bca to change the extension.
  11. Move the new BCA file to a new location on your computer. This is the file you upload to the Veracode Platform.
  12. You can now upload your iOS application to the Veracode Platform for analysis. Review the Veracode Static Analysis Guide for detailed instructions on submitting an application for analysis.