Should I release an app to the App Store with print statements in it?

Should I release an app to the App Store with print statements in it?

I intend to release my app to the App Store soon (after TestFlight). I have quite a few view controllers with print statements in them. The print statements are for testing purposes (debugger) and the user will never see them.
Will it make any difference if I do or don’t include the print statements inside the app once I release it?
Will the print statements make any difference as far as reducing speed when switching between scenes even if by milliseconds?
Can I get rejected for including them inside my app?
In couple of vcs I print the uids just for clarity on my part. Are there any security risks by including those print statements in the app?


Solution 1:

I assume you are using Swift, then print is completely safe, even for AppStore builds. You are not going to be rejected and it’s not a security risk either.

print, unlike similar NSLog, is not going to produce any logs anywhere that would be visible to the user (e.g. in Xcode Device Console).

More info on the difference between print and NSLog: Swift: print() vs println() vs NSLog()

Solution 2:

The premise of the question assumes you are facing an adversary who wants to introspect your app. So the question you need to answer is: “to what extent do you want (or are required) to make it difficult for these people?”.

All you are doing by using print instead of NSLog is raising the bar to introspection. There is no 100% guaranteed way to prevent an attacker from introspecting your app; assuming they are able to execute it on a device that has had its security compromised (ie. is jailbroken).

Related:  What are the potential security problems running untrusted code in a Docker container as a non-root user?

One system-level tweak i created, is to hook every print() call, and NSLog its arguments… thus converting a print() to an NSLog. Now there are tweaks like Logify, that will hook all classes and methods in an app so you can trace its execution flow completely, but this is a bit of a nightmare to read through.

If you are creating a particularly sensitive app and want to be make things harder, you could just wrap print() calls in a compiler statement to see if you are on a simulator:


This is still a fallible mechanism, but does raise the bar even higher. Just depends what your requirements are 🙂

Me: Im a penetration tester for mobile apps, and have extensive experience in “how not to do things”.