First, let’s look at the ios app signing mechanism

Ios signature mechanism

  • Functions of the iOS signature mechanism

The iOS signature mechanism ensures that all apps installed on a user’s phone are approved by Apple. Except, of course, for jailbreaking devices. In normal development, whether it is debugging the real phone or releasing the App to the App Store, we need to go through the following steps

  • First of all, on the Mac to generate CertificateSigningRequest. CertSigningRequest file
  • Cer or iOS_Distribution. cer, which is a development certificate and a distribution certificate, can be obtained from Apple developer website
  • Register the device on the Apple Developer website and add the App ID.
  • Select device, App ID, and development certificate or production certificate to generate the Mobileprovision file

Cer or iOS_Distribution. cer certificate files and mobileprovision description files are available. By installing these files on the Mac, you can perform real machine debugging. Of course, if you have selected Automatically manage Signing in Xcode, then Xcode will Automatically do all of the above for us.

So, what is the function of each of these steps? What are the iOS_development. cer or iOS_Distribution. cer certificate files and mobileprovision description files obtained? What’s in those files?

IOS Signature Process

To understand exactly what all of the above files do, you need to understand the full iOS signing process. After compiling and running the project with Xcode, Xcode actually does the signing for us. You can do this by looking at the build information in Xcode

It’s just signing the.app file using the codeSign directive.

To perform the iOS signature process, you need the following public and private key information

  • Mac device public key and private key, generally generated by the Mac device
  • Apple official private key, stored in the Apple background
  • Apple’s official public key. Apple’s official public key information is stored on every iPhone after delivery

Signature Process Analysis

IOS projects will generate.app files after compilation, and the app signature operation starts from getting the.app file

  • . The first step is to get the app files, use Mac. Private key signature app files for operation, to generate the signature file stored in. The app _CodeSignature/CodeResources in the directory

  • Step 2 use the Apple private key to sign the Mac public key and generate a certificate file

  • Step 3 Use the Apple private key to sign the certificate file obtained in Step 2, devices, APP ID, and entitlement to generate the Mobileprovision file, that is, the description file.

  • Step 4 Compress the signed. App file and the mobileprovision file generated in Step 3 to generate the IPA installation package.

  • Finally, the complete signature packaging process is as follows

Validation process

The. App installation package is signed, the IPA installation package is compressed, and the ipA installation package is installed on the iPhone. The signature verification operation is performed.

  • First, verify the signature in the Mobileprovision file using the Apple public key stored on the iPhone.
  • Second, after the signature verification succeeds, the device, APP ID, and entitlement information stored in Mobileprovision is obtained. Get the certificate file at the same time. The Apple public key is then used to validate the signature in the certificate. Obtain the Mac public key after successful authentication.
  • The third step, after getting the Mac public key, use the Mac public key to verify the signature file of App. If the verification is successful, it indicates that the source code of the current App has not been tampered. The App can then be installed on an iPhone
  • Finally, the complete signature and verification process is obtained as follows

In the Mobileprovision file, there are devices, APP ID, and entitlement information, which are used as follows:

  • Devices identify which devices can install the App. If the device is not in the device, the installation will fail.
  • App ID. Only the app specified with this id can be installed. If the unique IDENTIFIER of the APP does not correspond to the APP ID, the installation fails.
  • The entitlement of the App is stored in the entitlement of the App. If the entitlement of the App is inconsistent with that of the entitlement of the App, problems may occur.

Actual signing process

We have learned the specific process of iOS signature above. Now, we will perform the actual operation step by step to verify the signature process we have learned. Cer or iOS_Distribution. cer certificate, and mobileprovision.

  • First step, the generated on the Mac CertificateSigningRequest. CertSigningRequest file, the file is actually a Mac equipment’s public key.
  • Step 2: Go to the Apple developer website, get a certificate, and install it on your Mac device. This step is to use the Apple private key to sign the Mac public key and generate certificate files iOS_development. cer and iOS_Distribution. cer
  • Step 3: Generate mobileprovision. This step is to use the Apple private key to sign devices, APP ID, entitlement, and certificate file to generate mobileprovision file. The generated Mobileprovision file determines which devices the App can be installed on, the BundleId of the App that can be installed, and the permissions the App has.

Apple official verification process

Apple’s official verification process is as follows:

Heavy signature

If we want to repackage the App and our own plugins and install them on an unjailbroken iPhone, we need to learn how to re-sign the App.

Before learning to re-sign, you need to pay attention to a few points

  • First, the executable file in the installation package must be shelled before re-signing takes effect; otherwise, the installation will fail
  • Second, the mobileprovision file required for re-signing must be applied for by a paid developer account. A free developer account cannot be re-signed.
  • Third, all dynamic libraries in the.app package (.framework,.dylib), AppExtension (PlugIns folder, extension name is appex), WatchApp (Watch folder) need to be re-signed

The CodeSign directive is re-signed

Specific steps

  • First, you need to prepare an Embedded. Mobileprovision file (which must be generated by a paid developer account and the appID, device, etc.) and put this file into the. App package

You can generate mobileprovision files in either of two ways. The first is automatically generated by Xcode and can be found in the compiled App package. The second is generated on the Apple official website.

  • Extract entitlements from embedded. Mobileprovision file, entitlements. Plist file, there are two steps:
// First export permission information from embedded. Mobileprovision file, Security CMS -d -I Embedded. Mobileprovision > temp.plist # PlistBuddy /PlistBuddy -x -c 'Print :Entitlements' Plist /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' temp.plist > entitlements.plistCopy the code
  • View the certificate available on the Mac and obtain the Identity of the certificate, which is required for subsequent signature. The specific instructions are as follows
security find-identity -v -p codesigning

Copy the code

The result is as follows

➜  ~ security find-identity -v -p codesigning
  1) id "iPhone Developer: [email protected] (xxxxx)"
Copy the code
  • Re-sign all dynamic libraries and AppExtension in the. App package, if these dynamic libraries or AppExtension have been modified, if there is no modified dynamic library or AppExtension, you can skip this step. The instructions are as follows:
# -fs is short for -f-s codesign -fs certificate ID xxx.dylibCopy the code
  • For. App package signature, need to use entitlements. Plist file generated before, the command is as follows:
Codesign-fs Certificate ID -- Entitlements.plist XXX. AppCopy the code

Theos plugin is re-signed

Once the Tweak project is created and installed on a jailbroken phone via Cydia, you can change the behaviour of the App. How does that work?

  • First, the Tweak project is compiled to produce a dylib dynamic library file in the Tweak project directory. Theos /obj/debug/.
  • After executing make Package, generate the corresponding deb file and store it in packages directory.
  • Execution after make install, through Cydia installed to mobile phones, dylib file in ~ / Library/MobileSubstrate/DynamicLibraries/directory.
  • After the App starts, dylib will be loaded into the memory at the same time. If the App accesses the method in the class we hook, the method in Dylib will be directly executed.

Injection of dynamic libraries

Tweak project essentially makes dynamic libraries and they are not stored in the. App directory, so the first thing you need to do to install our reverse Tweak app on someone else’s phone is to inject the dynamic libraries from Tweak project into an executable in your app, aka a Mach-O file.

You can use the insert_dylib library to inject dynamic libraries into mach-O files, and you can download the insert_dylib tool from the insert_dylib library home page. Compile in the Release environment to get command line tools, and put the command line tools in /usr/local/bin.

Insert_dylib library usage

Insert_dylib essentially adds LC_LOAD_DYLIB or LC_LOAD_WEAK_DYLIB to Load Commands in the Mach-O file. Specific injection methods are as follows:

Insert_dylib dynamic library loading path mach-o file --all-yes --weak insert_dyli@executable_path/tweaktest.dylib Payload/Arm64Demo.app/Arm64Demo --all-yes --weak Payload/Arm64Demo.app/Arm64DemoCopy the code
  • The –weak option indicates that the App will not report an error even if the currently injected dynamic library cannot be found
  • –all-yes Indicates that all the following options are set to yes
  • Executable_path specifies the directory where the executables are located, which is the directory where the Mach-O files are located.

View dynamic library dependencies for Mach-O

There are two ways to view dynamic library dependency information

  • Check the dynamic library dependencies of Mach-O using otool
Otool -l Mach -o fileCopy the code
  • You can also view dynamic library dependencies for Mach-O through MachOView

Change the loading address of the dynamic library

After the dynamic library is injected into the mach-O file, you need to change the loading address of the dynamic library in the mach-O file, otherwise an error will be reported when the App runs because the dynamic library is not found.

You can use the install_name_tool directive to change the loading address of dynamic libraries in the Mach -o file:

Install_name_tool -change Old address New address Mach -o file install_name_tool -change /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate @loader_path/CydiaSubstrate Payload/Arm64Demo.app/tweakTest.dylibCopy the code

Note that the new address in the above directive must be filled with the full path address, but we do not know the specific address stored in dylib after the App is installed on the phone, so we can use the following two common environment variables:

  • The @executable_path represents the directory where the executables are located, which is where the Mach-o files are located. We put dylib in the same directory as the executables, and then changed the address to @executable_path/dylib name. This means that when loading a dynamic library, look for the dynamic library in the directory where the executable resides.
  • Loader_path indicates the directory where the dynamic library resides. This environment variable is usually used when the dynamic library depends on other dynamic libraries. If the dynamic library we need to inject also depends on other dynamic libraries, then we need to put the dependent dynamic library in the same directory as the original dynamic library. Then change the loading address of the dynamic library to @loader_path/ dynamic library name. This means loading the dependent dynamic library in the original dynamic library directory.

Theos developed dynamic library plug-in notes

  • We use the dylib plugin developed by Theos, which is dependent on CydiaSubstrate by default because it was installed using Cydia. CydiaSubstrate deposit plug-in directory for iPhone/Library/Frameworks/CydiaSubstrate framework/CydiaSubstrate.
  • If we want to package the dynamic library plug-in we developed into IPA, we need to package CydiaSubstrate into IPA at the same time, and modify the loading address of CydiaSubstrate.

Re-signing GUI tool

iReSign

You can click download iReSign source, run the Mac app inside, provide the path of the.app package, Entitlements. Plist path and Embedded. Mobileprovision path, you can re-sign the.app, and then package to generate an IPA file.

iOS App Signer

You can click to download the source code of iOS App Signer, select the Release environment for compilation, get the compiled Mac application, and then use it directly. Simply provide the path to the.app package and the path to Embedded. Mobileprovision