Analyzing iOS apps 1/3 - *.ipa files

PUBLISHED ON 2018-03-28 — REVERSE ENGINEERING

What are you actually getting when you’re downloading an app from the App Store?

Preliminary note

As an example I’m using my own (free) app Local Storage. Apart from legal reasons this also has the benefit that I can compare the findings with the actual source code that I have available.

The same process can of course be applied to any app. But might leave you guessing at some point. And not be 100% legal.

As of writing I am running macOS High Sierra 10.13.3, iTunes 12.7.3, Configurator 2.6.1 and XCode 9.2.

Downloading ipa files

App-Store-internally iOS apps are distrubuted as *.ipa archives.

But it’s not so easy to actually get a download link. The web version of the App Store doesn’t contain it. And of course there’s no way to obtain that info from the App Store app on your device.

App Store listing screenshot

In previous versions of iTunes it was possible to browse and download apps (for later sync/installation to your device). The files were saved to ~/Music/iTunes/Mobile Applications/*.ipa. However with version 12.7.0 all App Store related features got removed. This is not to be confused with backups by the way, it’s still possible to create and restore *.ipsw files. And while it’s possible to downgrade to 12.6.3.6 (the last version with App Store functionality) it is generally not recommended.

Instead install Apple’s official tool Configurator 2 from the Mac App Store. That program is supposed to be used for managing multiple devices in a corporate or education setting and has a bit of a weird interface when just connecting one device.

  • Connect your device via USB
  • Right click device, Add, Apps …
  • Choose app from list or use the search bar
  • The process begins, the app is being downloaded
  • When prompted The app named “{app-name}” already exists on “{device-name}”, would you like to replace it? don’t click anything yet
    • If you don’t the app installed the whole thing happens to fast, and the *.ipa file gets deleted before you have a chance of copying it out
    • Simply repeat if you miss it
  • Instead open a Terminal and change to the temporary items directory of Configurator 2
    • cd ~/Library/Group\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps/
    • The next two levels are random strings, just cd downwards
    • ls finally shows an *.ipa file
    • Copy the file to your Downloads folder via cp Local\ Storage\ 1.2.3.ipa ~/Downloads/
  • Stop the installation process in Configurator 2, no need to reinstall

Configurator 2 downloading screenshot

Installing ipa files

Just like with downloading it was also possible to use iTunes to install *.ipa files to your device. Version 12.7.0 removed this feature too.

Again Apple’s tool Configurator 2 comes into play.

  • Right click device, Add, Apps …
  • Choose from my Mac …
  • Select *.ipa file
  • Add

Configurator 2 adding screenshot

Apparently it’s also possible to use third party software like iFunbox, Diawi or iTools for this purpose. No idea if those can be trusted and still work.

Extracting ipa files

Good news: An *.ipa file just a renamed *.zip file. Change the extension and extract.

Content of extracted ipa files

  • File iTunesArtwork
    • This is actually a *.jpg file without the extension
    • It contains the app icon in 1024x1024 resolution without the rounded borders
  • File iTunesMetadata.plist
    • This a xml/plist containing info about the app listing in the App Store as well as the Apple ID of the account it was downloaded with (keys: apple-id, userName)
    • Meaning each download is personalized, take this into account when sharing an *.ipa file
    • This is probably the reason why it was so hard to get a download link
  • File META-INF/com.apple.FixedZipMetadata.bin
    • This is a tiny 23 bytes binary file
    • Opened with HexFiend it shows that it just contains the string “MdFx
    • No idea what this is about

File opened in HexFiend

  • File META-INF/com.apple.ZipMetadata.plist
    • Is a binary/plist, meaning you can only open it in XCode, not in a text editor
    • It seems to contain info about how this *.ipa was created (the zip command used, permissions, uncompressed file size)

Binary plist in XCode screenshot

  • File Payload/localstorage.app
    • This is actually a directory, just like with *.app files for macOS Finder hides this fact from the user
    • But they can be explored further by right clicking and selecting Show Package contents, or of course in Terminal
    • And here the rabbit hole begins, more about that in Part 2 of 3 (tba)

Extracted file in Finder screenshot

Checking ipa code signing

A plist file with the extension *.mobileprovision is not contained in what I got from Configurator 2.

  • So I can’t run security cms -D -i {path-to-provisioning-profile}.
  • And installing the QuickLook extension Provisioning doesn’t show any infos when run on the *.ipa file.
  • The output of the QuickLook extension ProvisionQL shows something but not much concerning signing.

ProvisionQL on ipa

Some basic infos can be shown via codesign -dvvv {path-to-*.app}. Things like the certificate date or the UUID of the app are missing here though.

Codesign on app

Untested: The command line tool Nomad (Shenzen) apparently is able to show a bit more when running ipa info {path-to-*.ipa}.

In closing

This concludes Part 1 of 3 of my series on analyzing iOS apps.

Part 2 will be about the content of the *.app directory, and Part 3 will look into at Unix executable. These are not ready yet, but will be linked here later.

Did I get something wrong or do you have questions? Drop me a mail.

Sources

  • Wikipedia article on ipa
  • How to tell what profile/signing certificate was used to sign .ipa? on StackExchange
TAGS: IOS, SWIFT, XCODE
ios | next >

home