See the master compilation guidelines for instructions for other platforms.
The Veracode Platform requires all binary executables and all required libraries for the application.
Supported iOS Platforms and Compilers
|Objective-C, C/C++, Swift 3.x, 4.x, 5.x (compiled as bitcode)||iOS||
Note: Initial support for watchOS 6
The following instructions provide specific guidance on how to use Xcode to configure the scan settings that Veracode uses to scan your iOS application. These instructions also explain how to use the Apple Xcode utility to compile iOS applications for Veracode using the command line. Veracode also supports analyzing applications compiled with the PhoneGap, Titanium, Xamarin, and React Native cross-platform development frameworks.
Veracode analyzes all components submitted with an iOS application, such as standalone frameworks, extensions, and watchOS extensions. After a prescan, you can select these components as separate modules.
Veracode can scan only iPhone, iPad, or Watch applications compiled with debug symbols. Providing debug scans of iOS application code enables the Veracode Platform to provide source file and line number information about the location of flaws found.
Compilation Guidance for iOS
The following settings are necessary for Veracode to analyze your application, and do not affect any project-specific settings that your application may require.
To test applications built for this version of Xcode:
- Launch Xcode, and select the Project and Signing Profile.
- In the Project Navigator, select the Project and its target to display the project editor.
- Go to Build Settings and select All instead of Basic.
- Go to DWARF with dSYM file. and set the values to
- Go to Yes. and set the value to
- Select Archive. , click
- For Build Configuration, select Debug.
- From the Xcode project editor, choose Generic iOS Device from the Scheme menu.
- Go to the Product menu option and select Archive.
- After the archiving process is complete, an Xcode Organizer is displayed with your archive highlighted.
- Right-click the project and choose Show in Finder.
Use xcodebuild with the parameters shown in the following example to compile your application from the command line:
xcodebuild archive -project MyApp.xcodeproj -scheme MyApp -destination generic/platform=iOS DEBUG_INFORMATION_FORMAT=dwarf-with-dsym ENABLE_BITCODE=YESIf you compile your application from the command line, you still must set the archive build configuration in the project scheme to Debug. To set the archive build configuration, go to and select Debug.
After you compile your application, you must package the archive according to the packaging guidance.
If you are using the Cocoapods dependency manager, you can add the following snippet to the bottom of your podfile to automatically enable bitcode for your project dependencies.
- Add the following snippet to your
post_install do |installer| installer.pods_project.targets.each do |target| target.build_configurations.each do |config| config.build_settings['ENABLE_BITCODE'] = 'YES' end end end
- Run this command in the terminal:
> cd <project_home_dir> && pod install
To submit your iOS application to the Veracode Platform, Veracode requires that you package your application as a BCA file, which contains debug (dSYM) information for the application. You must manually create the package because Xcode does not bundle the debug information automatically.
Veracode offers a mobile application packager for Xcode that can help package iOS applications built with Xcode 9.x or later. Veracode recommends you use this tool to easily prepare your application for analysis on the Veracode Platform. View the instructions on installing and using the Veracode Mobile Application Packager here.
If you are unable to package your application using the Veracode Mobile Application Packager, you can package your application manually using these instructions:
- Navigate to the Xcode archive that contains the compiled iOS application. The
archive is usually located
- In macOS, right-click the archive and select Show Package
Contents.Note: If you are working with this archive on a computer that does not have Xcode installed, navigate to the archives folder, and you have the ability to open the XCARCHIVE file as a folder.
- Expand the Products folder and select the Applications folder.
- Move the Applications folder out of the Projects folder, and place it in the parent directory.
- Rename the Applications folder Payload.
- Delete the Products folder, so that the final directory is
structured similar to this example:
Note: Optionally, you can exclude the SwiftSupport or SCMBlueprint folders if they exist in the Projects folder.
- Create a ZIP archive containing the Payload folder: highlight all
items in the directory, right-click, and select
When your compression is complete, your directory should look similar to this example:
- Right-click the file Archive.zip, and select Get Info.
- Under Name & Extension, rename the archive to <project
- When prompted, click Use .bca to change the extension.
- Move the new BCA file to a new location on your computer. This is the file you upload to the Veracode Platform.
- You can now upload your iOS application to the Veracode Platform for analysis. Review the Veracode Static Analysis Guide for detailed instructions on submitting an application for analysis.