applesign - npm explorer

node-applesign
===============

NodeJS module and commandline utility for re-signing iOS applications (IPA files).

Author
------

Sergi Alvarez Capilla aka pancake @ nowsecure.com

Program Dependencies
--------------------

* zip - re-create IPA
* unzip - decompress IPA (see npm run unzip-lzfse)
* codesign - sign and verify binary with new entitlements and identity
* security - get entitlements from mobileprovision
* insert_dylib - only if you want to use the -I,--insert flag

Usage
-----

When running without arguments we get a short help message

``$ bin/applesign.js Usage:

applesign [--options ...] [target.ipa | Payload/Target.app]

-a, --all Resign all binaries, even it unrelated to the app -b, --bundleid [BUNDLEID] Change the bundleid when repackaging -c, --clone-entitlements Clone the entitlements from the provisioning to the bin -f, --force-family Force UIDeviceFamily in Info.plist to be iPhone -h, --help Show verbose help message -H, --allow-http Add NSAppTransportSecurity.NSAllowsArbitraryLoads in plist -i, --identity [1C4D1A..] Specify hash-id of the identity to use -L, --identities List local codesign identities -m, --mobileprovision [FILE] Specify the mobileprovision file to use -o, --output [APP.IPA] Path to the output IPA filename -O, --osversion 9.0 Force specific OSVersion if any in Info.plist -p, --without-plugins Remove plugins (excluding XCTests) from the resigned IPA -w, --without-watchapp Remove the WatchApp from the IPA before resigning -x, --without-xctests Remove the XCTests from the resigned IPA

Example:

$ applesign -w -c -m embedded.mobileprovision target.ipa`

The full help is displayed when passing the --help flag.

`$ bin/applesign.js --help Usage:

applesign [--options ...] [input-ipafile]

Packaging: -7, --use-7zip Use 7zip instead of unzip -A, --all-dirs Archive all directories, not just Payload/ -I, --insert [frida.dylib] Insert a dynamic library to the main executable -l, --lipo [arm64|armv7] Lipo -thin all bins inside the IPA for the given architecture -n, --noclean keep temporary files when signing error happens -o, --output [APP.IPA] Path to the output IPA filename -P, --parallel Run layered signing dependencies in parallel (EXPERIMENTAL) -r, --replace Replace the input IPA file with the resigned one -u, --unfair Resign encrypted applications -z, --ignore-zip-errors Ignore unzip/7z uncompressing errors

Stripping: -p, --without-plugins Remove plugins (excluding XCTests) from the resigned IPA -w, --without-watchapp Remove the WatchApp from the IPA before resigning -x, --without-xctests Remove the XCTests from the resigned IPA

Signing: --use-openssl Use OpenSSL cms instead of Apple's security tool -a, --all Resign all binaries, even it unrelated to the app -i, --identity [1C4D1A..] Specify hash-id of the identity to use -k, --keychain [KEYCHAIN] Specify alternative keychain file -K, --add-access-group [NAME] Add $(TeamIdentifier).NAME to keychain-access-groups -L, --identities List local codesign identities -m, --mobileprovision [FILE] Specify the mobileprovision file to use -s, --single Sign a single file instead of an IPA -S, --self-sign-provision Self-sign mobile provisioning (EXPERIMENTAL) -v, --verify Verify all the signed files at the end -V, --verify-twice Verify after signing every file and at the end

Info.plist -b, --bundleid [BUNDLEID] Change the bundleid when repackaging -B, --bundleid-access-group Add $(TeamIdentifier).bundleid to keychain-access-groups -f, --force-family Force UIDeviceFamily in Info.plist to be iPhone -H, --allow-http Add NSAppTransportSecurity.NSAllowsArbitraryLoads in plist -O, --osversion 9.0 Force specific OSVersion if any in Info.plist

Entitlements: -c, --clone-entitlements Clone the entitlements from the provisioning to the bin -e, --entitlements [ENTITL] Specify entitlements file (EXPERIMENTAL) -E, --entry-entitlement Use generic entitlement (EXPERIMENTAL) -M, --massage-entitlements Massage entitlements to remove privileged ones -t, --without-get-task-allow Do not set the get-task-allow entitlement (EXPERIMENTAL) -C, --no-entitlements-file Do not create .entitlements file in the IPA

-h, --help Show this help message --version Show applesign version [input-ipafile] Path to the IPA file to resign

Examples:

$ applesign -L # enumerate codesign identities, grab one and use it with -i $ applesign -m embedded.mobileprovision target.ipa $ applesign -i AD71EB42BC289A2B9FD3C2D5C9F02D923495A23C target.ipa $ applesign -m a.mobileprovision -c --lipo arm64 -w target.ipa

Installing in the device:

$ ideviceinstaller -i target-resigned.ipa $ ios-deploy -b target-resigned.ipa

List local codesign identities:

$ bin/applesign -L

Resign an IPA with a specific identity:

$ bin/applesign -i 1C4D1A442A623A91E6656F74D170A711CB1D257A foo.ipa

Change bundleid:

$ bin/applesign -b org.nowsecure.testapp path/to/ipa

Signing methods ---------------

There are different ways to sign an IPA file with applesign for experimental reasons.

You may want to check the following options:

-c, --clone-entitlements

put the entitlements embedded inside the signed mobileprovisioning file provided by the user as the default ones to sign all the binaries

-S, --self-sign-provision

creates a custom mobileprovisioning (unsigned for now). installd complains

-E, --entry-entitlement

use the default entitlements plist. useful when troubleshooting

The default signing method does as follow:

* Grab entitlements from binary * Remove problematic entitlements * Grab entitlements from the provisioning * Adjust application-id and team-id of the binary with the provisioning ones * Copy the original mobileprovisioning inside the IPA * Creates ${AppName}.entitlements and signs all the mach0s

After some testing we will probably go for having -c or -E as default.

In addition, for performance reasons, applesign supports -p for parallel signing. The order of signing the binaries inside an IPA matters, so applesign creates a dependency list of all the bins and signs them in order. The parallel signing aims to run in parallel as much tasks as possible without breaking the dependency list.

Mangling --------

It is possible with --force-family to remove the UISupportedDevices from the Info.plist and replace the entitlement information found in the mobileprovisioning and then carefully massage the rest of entitlements to drop the privileged ones (--massage-entitlements).

Other interesting manipulations that can be done in the IPA are:

-I, --insert [frida.dylib]

Allows to insert a dynamic library in the main executable. This is how Frida can be injected to introspect iOS applications without jailbreak.

-l, --lipo [arm64|armv7]

Thinifies an IPA by removing all fatmach0s to only contain binaries for one specified architecture. Also this is helpful to identify non-arm binaries embedded inside IPA that can be leaked from development or pre-production environments.

In order to thinify the final IPA even more, applesign allows to drop the watchapp extensions which would not be necessary for non Apple Watch users.

Performance -----------

Sometimes the time required to run the codesigning step matters, so applesign allows to skip some steps and speedup the process.

See --dont-verify and --parallel commandline flags.

Enabling those options can result on a 35% speedup on ~60MB IPAs.

API usage ---------

Here's a simple program that resigns an IPA:

`js const Applesign = require('applesign');

const as = new Applesign({ identity: '81A24300FE2A8EAA99A9601FDA3EA811CD80526A', mobileprovision: '/path/to/dev.mobileprovision', withoutWatchapp: true }); as.events.on('warning', (msg) => { console.log('WARNING', msg); }) .on('message', (msg) => { console.log('msg', msg); });

as.signIPA('/path/to/app.ipa') .then(_ => { console.log('ios-deploy -b', as.config.outfile); }) .catch(e => { console.error(e); process.exitCode = 1; });

To list the developer identities available in the system:

`js try { const ids = await as.getIdentities(); ids.forEach((id) => { console.log(id.hash, id.name); }); } catch (err) { console.error(err, ids); }`

Bear in mind that the Applesign object can tuned to use different configuration options:

`js const options = { file: '/path/to/app.ipa', outfile: '/path/to/app-resigned.ipa', entitlement: '/path/to/entitlement', bundleid: 'app.company.bundleid', identity: 'hash id of the developer', mobileprovision: '/path/to/mobileprovision file', ignoreVerificationErrors: true, withoutWatchapp: true };``