April 4, 2023

    Continuously Protecting Your iOS Project in a Cloud-Based CI

    Guardsquare iXGuard enables developers to protect their iOS applications and libraries from reverse engineering and tampering.

    Protection takes place at the compilation stage, this is why our users often integrate this step into their Continuous Integration (CI) system.

    Usually automating this step is as simple as running one operating system command to launch iXGuard. However, cloud-based CI systems often offer short-lived build nodes that start from a clean slate. All dependencies like libraries and tools have to be downloaded and installed using a scripted action.

    Since version 4.6.x iXGuard is available for automated download through the Guardsquare CLI tool.

    Read on to learn how to solve this problem and have your cloud CI setup up and running.

    TL;DR - how to automatically download iXGuard


    Step 1. Generate a new SSH keypair
      • Use ssh-keygen to generate a new key pair, and then add it to the ssh-agent:
        eval "$(ssh-agent -s)" ssh-add --apple-use-keychain ~/.ssh/<your-key-file-name>
    Step 2. Register your SSH key on Guardsquare customer portal
      • Note that to be able to register your SSH key you will need to have the Manage Automation permission. If you do not have this permission, your Guardsquare Portal team manager can assign it to you.
    Continuously-Protecting-Your-iOS-Project-in-a-Cloud-Based-CI_inernal_1Step 3. Get Guardsquare CLI
      • curl https://downloads.guardsquare.com/cli/latest_macos_amd64 -sL | tar -x && sudo mv -i guardsquare /usr/local/bin/


      • After your environment is prepared, simply run the following command to download iXGuard:
    guardsquare --ssh-agent download ixguard -o ixguard.pkg
      • Install iXGuard using the standard installer command:
    sudo installer -pkg ixguard.pkg

    Automated, scriptable, secure

    Our goal was making the automated setup of the CI build nodes as easy as possible, and at the same time keep access to Guardsquare tools strictly on a need-to-use basis.

    Our ideal solution would be:

    • Fast
    • Fully scriptable
    • Secure

    Fast downloads

    In the future we expect that our customers’ use of cloud CI systems will only increase. This in turn will increase the load on the download infrastructure.

    We solved this problem by hosting the files on a scalable performant cloud object storage located at the infrastructure of a global cloud vendor. This way Guardsquare never becomes a bottleneck for the customers’ CI process and is able to provide excellent speed for everyone.

    Scriptable downloads

    We had to make sure that every step of the process (except the initial setup) can run automatically using a command-line script.

    The most critical step in the process is getting a secure link and downloading the correct version of iXGuard. To automate this step better we have implemented Guardsquare CLI. You can get the single-binary cli from Guardsquare servers using a simple curl command.

    Guardsquare download CLI command supports semver version string, for example this command will download iXGuard version 4.6:

    guardsquare --ssh-agent download ixguard@4.6 -o ixguard.pkg

    The -o switch provides an option to give a predefined name to the downloaded file, so that it can later be installed with aninstaller action.

    Secure download

    To make the downloads secure we chose the SSH key-based authentication mechanism. This authentication schema should be familiar to you from GitHub, Azure DevOps, and many other services.

    Simply register your SSH key on Guardsquare portal and your CLI will authenticate automatically.


    To run iXGuard on your cloud CI build node you will need to install the correct license.

    In preparation, download the license file manually from Guardsquare portal. Use your CI secrets manager to provision the license file on the build nodes. For example, for Microsoft Azure use the Secure files feature.

    Example: GitHub Action Workflow to install iXGuard

    Pre-requisite: Setup a GitHub repository secret to store your SSH_PRIVATE_KEY which matches the public key you uploaded to the Guardsquare Customer Portal

    # Workflow script to download and install iXGuard into an actions Node
        runs-on: macos-latest
          - uses: actions/checkout@v3
          # Make sure the @v0.7.0 matches the current version of the action
          - run: curl https://downloads.guardsquare.com/cli/latest_macos_amd64 -sL | tar -x && sudo mv -i guardsquare /usr/local/bin/
          - uses: webfactory/ssh-agent@v0.7.0
              ssh-private-key: $
          # download the Guardsquare CLI
          - run: guardsquare --ssh-agent download ixguard -o ixguard.pkg
          - run: sudo installer -pkg ixguard.pkg -target /


    Cloud CI systems provide reliable and scalable service to continuously build, scan, test, and deploy your applications. From now on, you can easily set up your cloud CI to protect your iOS application or SDK with Guardsquare.

    Tag(s): iOS , Protection , iXGuard

    Anton Baranenko - Product manager

    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in