9

Is an app's executable file byte-for-byte identical when the app is purchased through the App Store and installed on a user's iPhone, compared to the original executable file submitted to Apple in the original app bundle? Or is it different (for example, with additional signatures or encryption)?

I am concerned only about the executable file, not the entire app bundle.

In particular, would code such as ...

int main(int argc, char* argv[]) {
   FILE* file = fopen(argv[0], "rb");
   // Read entire contents of executable file; calculate a hash value
   // ...
   fclose(file);
}

... calculate the same hash as calculating the hash outside of the iPhone on the original, submitted executable?

For example, calculating a SHA256 hash as above then using "Build and Run" in XCode to run on an attached iPhone produces exactly the same result as calculating the SHA256 hash by running openssl sha256 MyAppExecutableFile from a terminal in OS X. This means the act of installing the app through XCode does not alter the executable file.

My question is whether or not this still holds when an app is submitted to the App Store, purchased, and installed.

JohnSpeeks
  • 735
  • 6
  • 14

2 Answers2

19

The application executable is encrypted by Apple when released on the App Store, so self-running a checksum on your own binary is not a good idea —you cannot know the file size of the encrypted binary in advance—.

Mind you, the binary always remains encrypted in the file system, and only the iPhone root user can decrypt these binaries. If you download an app from the App Store with iTunes, you can open the IPA on your PC or Mac and see that the binaries are indeed encrypted by running otool:

otool -l <app binary> | grep cryptid
crypt id 1
(a value of cryptid 1 means the app is encripted)

otool -l <app binary> | grep cryptsize
12345678
(size of the encrypted segment)
Julio Gorgé
  • 10,056
  • 2
  • 45
  • 60
  • Did you check the .ipa or the application itself? I believe Apple adds a couple of files to the .ipa when it is downloaded, but they can't change the application itself because that would invalidate the code signing performed at compilation, preventing the application from running. – ughoavgfhw Apr 26 '11 at 04:20
  • 1
    I checked the binary inside the IPA/app bundle. Apple can indeed change the application without breaking the app, since the signature goes in a separate file inside the application bundle. They may just check the validity of the signature at submission time, then discard it, slightly alter the binary for whatever reason and then sign it with their own master certificate. – Julio Gorgé Apr 26 '11 at 04:34
  • 1
    I have heard that the app in the IPA bundle is stored encrypted but when it is "installed" on the device it may be decrypted. (Apparently that's how some "cracking" software works--it installs the app, then copies the decrypted executable off the device.) So perhaps it reverts back to the original? I wonder if there is any way to test if this is the case. I suppose you could ssh into a jailbroken iPhone and copy the application executable off of it, then see which version it is identical to? – JohnSpeeks Apr 26 '11 at 13:30
  • That's interesting John, it'd be interesting indeed if someone with a jailbroken phone could test for this. – Julio Gorgé Apr 27 '11 at 16:25
  • 1
    It looks like app binaries are indeed encrypted. I looked up several sources and verified it myself… so I've updated the answer. Thanks again John for the hint. – Julio Gorgé Apr 27 '11 at 19:09
  • that means that after the app is installed there's no way to get the code behind the app? – madcoderz Aug 16 '11 at 11:09
  • On a related note, if you can't compare checksum of downloaded app, then do we just assume that App Store downloads always succeed and you never get a bad downloaded file like you can on computers for browser/FTP downloads? Doesn't seem like App Store itself presents users with any checksum verification of downloaded apps. – David Aug 21 '12 at 22:17
2

The application is also stripped of your signature and signed by Apple. This can be verified by running "codesign -vvvvd" on the app binary you submit and comparing it to the output of "codesign -vvvvd" of the app binary you download from the store.

Because of this the hashes will not match.

user700048
  • 119
  • 1
  • 3
  • 9