Shulou(Shulou.com)06/02 Report--

This article focuses on "how to re-sign iOS applications in IPA". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to re-sign iOS applications in IPA.

Extract application Bundle from IPA

First, we need to have an .ipa file on hand. You can choose to use frida-ios-dump or other tools, which depends on your personal preference, but in the end we have to have an IPA file that can be used. We chose to use OWASP iGoat-Swift here. You can directly click [here] to download iGoat-Swift_v1.0.ipa and complete the "extraction" of the IPA file.

Next, we use ios-deploy to load the application into our test device. But if you try to load the IPA file on the side now, you may fail because the configuration file provided at this time will not run our device as a valid device for App, so we need to resign the target App.

We can extract the IPA file as a ZIP file, regardless of the file extension, because we can modify the extension directly.

$mv iGoat-Swift_v1.0.ipa iGoat-Swift_v1.0.zip$ unzip iGoat-Swift_v1.0.zip-d iGoat-Swift# this should create a directory iGoat-Swift with Payload inside

Here, we need to figure out what permissions are needed for this IPA file, so we need to extract this part first.

Extract authorized content

Every application installed on an Apple device requires a configuration profile, which needs to be created on Apple's developer portal. We assume that we already have such a file, so we have to replace the current configuration file in IPA with our configuration file, but now we need to look at the current configuration file and understand the requirements of the configuration file to create our configuration file.

First, we need to extract a plist from embedded.mobileprovision, and our working directory is the iGoat-Swift directory:

IGoat-Swift

└── Payload

└── iGoat-Swift.app

Then get the embedded.mobileprovision from the application Bundle:

$cd iGoat-Swift$ security cms-D-I Payload/iGoat-Swift.app/embedded.mobileprovision > provision.plist

We can open the plist file with a common text editor, or directly use PlistBuddy to extract all the authorized fields in the plist:

$/ usr/libexec/PlistBuddy-x-c 'Print: Entitlements' provision.plist | tee entitlements.plist$ / usr/libexec/PlistBuddy-x-c' Print: Entitlements' provision.plist > entitlements.plist$ cat entitlements.plist

Next, we will see the following information:

Application-identifier 6J6AZQ7T23.* com.apple.developer.team-identifier 6J6AZQ7T23 get-task-allow keychain-access-groups 6J6AZQ7T23.*

At this point, we already know the authorization content that needs to be created, where:

Get-task-allow: allows us to run App in debug mode, and authorization will be added when we run App from Xcode.

Keychain-access-groups: allows us to share keychain objects between App groups.

When we select the granted permissions for keychain-access-groups in Xcode, application-identifier and com.apple.developer.team-identifier will be generated automatically.

Create a "blank" application

Now, create an empty Xcode project, and the authorization for this App should be the same as the authorization for the App that we need to resign. The result of resigning is that we will get two applications with the same functionality but different signatures.

After the analysis just now, we already know that iGoat-Swift needs the permission of "keychain-access-groups", and then we need to search and add this permission in the authorization section of the project information.

Next, build and run our empty project, and after running the App on the test device, you will get a valid configuration description file that contains the test device ID.

Now that we can remove the empty App from the test device, we just need to use Xcode to create the correct configuration description file, and then use it to resign the iGoat-Swift App.

Get the correct configuration file

In the file navigation bar of Xcode, select "Product" and click the target App. Then check the Xcode Inspector area (in the right panel of the Xocde interface) to find the path to the application Bundle.

In the application Bundle, we will see "embedded.mobileprovision" and copy the configuration description file to the current working directory:

$cp PATH_YOU_GOT_FROM_XCODE/embedded.mobileprovision new_embedded.mobileprovision

We can use this configuration description file to obtain the permissions required by the target App:

$security cms-D-I new_embedded.mobileprovision > new_provision.plist$ / usr/libexec/PlistBuddy-x-c 'Print: Entitlements' new_provision.plist | tee new_entitlements.plist

Now we can remove the previous code signature:

$rm-r Payload/iGoat-Swift.app/_CodeSignature

Next, access our configuration description file (in the keychain Keychain) using the following command:

$security find-identity-v-p codesigning

Once we have the required information, we can resign the application:

$codesign-f-s "Your Provisioning Profile (AAAAAA)"-- entitlements new_entitlements.plist Payload/iGoat-Swift.app/$ codesign-f-s "Your Provisioning Profile (AAAAA)"-- entitlements new_entitlements.plist Payload/iGoat-Swift.app/Frameworks/*$ codesign-f-s "Your Provisioning Profile (AAAA)"-entitlements new_entitlements.plist Payload/iGoat-Swift.app/iGoat-Swift

Now we use the resigned application Bundle to generate a new IPA file:

$zip-qr iGoat-Swift_v1.0.ipa Payload/

Next, use ios-deploy to deploy the newly generated iOS application to our test equipment:

Ios-deploy-b iGoat-Swift_v1.0.ipa so far, I believe you have a better understanding of "how to re-sign iOS applications in IPA". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.