We have been drilled that we should strip debugging symbols before releasing our app on the App Store. Apple even does this automatically for us in the build settings when we create a new project.
However when we are using Swift as our programming language, a certain feature called Reflection, embeds in the app binary all the necessary names and types of every class/struct you have defined in your project so you can Mirror() the object and list all the attributes/types dynamically at runtime.
This trove of information is an incredible source of information to hackers. Apparently, this can be controlled by a Swift compiler flag <code>SWIFT_REFLECTION_METADATA_LEVEL</code>.
I stumbled on this in an Apple Developer Forum post: <a target="_blank" href="https://developer.apple.com/forums/thread/720978">https://developer.apple.com/forums/thread/720978</a>
Which lead me to this Apple Documentation page: <a target="_blank" href="https://developer.apple.com/documentation/xcode/build-settings-reference#Reflection-Metadata-Level">https://developer.apple.com/documentation/xcode/build-settings-reference#Reflection-Metadata-Level</a>
So if you are securing an iOS/macOS app, make sure to go into your Xcode project build settings, and find <code>Swift Compiler General</code> -&gt; <code>Reflection Metadata Level</code> and set the value to <code>None</code>.

We have been drilled that we should strip debugging symbols before releasing our app on the App Store. Apple even does this automatically for us in the build settings when we create a new project.

However when we are using Swift as our programming language, a certain feature called Reflection, embeds in the app binary all the necessary names and types of every class/struct you have defined in your project so you can Mirror() the object and list all the attributes/types dynamically at runtime.

This trove of information is an incredible source of information to hackers. Apparently, this can be controlled by a Swift compiler flag `SWIFT_REFLECTION_METADATA_LEVEL`.

I stumbled on this in an Apple Developer Forum post: [https://developer.apple.com/forums/thread/720978](https://developer.apple.com/forums/thread/720978)

Which lead me to this Apple Documentation page: [https://developer.apple.com/documentation/xcode/build-settings-reference#Reflection-Metadata-Level](https://developer.apple.com/documentation/xcode/build-settings-reference#Reflection-Metadata-Level)

So if you are securing an iOS/macOS app, make sure to go into your Xcode project build settings, and find `Swift Compiler General` -&gt; `Reflection Metadata Level` and set the value to `None`.

Mobile app security tip: stripping Swift Reflection Metadata

Your Swift app is full of symbols, even if stripped.

I'm a passionate senior iOS & macOS developer with over 13 years in the Apple ecosystem and 25 years in the software industry.  I have a special interest for data security and privacy compliance!


Blog about mobile app security on iOS and macOS.  I sometime cover software architecture and unit tests.