9

Recently I saw a website that include lots of AppStore applications and they resigned that applications via their Enterprise account and let people to download them directly to their iPhone/iPads.

I am wondering how they do this? I had resigned .ipa files that was created for Ad-Hoc via Enterprise; but how they resign AppStore applications with enterprise account too?

I am wondering for the answer because it is important and we should consider more security challenges for the case of resigning our appstore applications with enterprise accounts.

JAL
  • 41,701
  • 23
  • 172
  • 300
Husein Behboudi Rad
  • 5,434
  • 11
  • 57
  • 115

2 Answers2

7

When an IPA is downloaded from the app store (including by Xcode), the binaries in that IPA are encrypted by Apple. Simply resigning these binaries will not work. One way to remove the DRM, and this may be illegal in your country, is to extract the unencrypted binary during runtime on a jailbroken device.

Note that when resigning apps, such services need to use a different provisioning profile than you originally used, and that provisioning profile will have a different bundle identifier than the one in your Info.plist. You can use tools such as TCMobileProvision to inspect and compare the two identifiers. This is a mouse and cat game, as they could actively look for that code and remove it statically, but you will most likely reduce the possibility of your app being resigned significantly.

Léo Natan
  • 56,823
  • 9
  • 150
  • 195
  • 2
    Thanks for answering @Leo . So as I understand, without a jailbroken device and extracting the unencrypted binary it is not possible to resign the IPAs, if it is the only way but how I was able to resign IPAs that my team send to me with iResign - see the app at https://github.com/maciekish/iReSign - but I could not resign appstore downloaded IPAs ? – Husein Behboudi Rad Sep 06 '16 at 11:25
  • That is correct. Your team's IPA is not encrypted with DRM, while AppStore IPAs are. – Léo Natan Sep 08 '16 at 06:45
1

Adding on to Leo's answer:

There are tools available such as Clutch to help decrypt the Apple signed binary on a jailbroken device at runtime. After decrypting the binary, you will need to figure out the app's bundle id and entitlements. Some versions of Theos (such as theos-jailed) come with an info tool that dumps the application entitlements. When regenerating your patched provisioning profiles, you must be sure your patched profile match the entitlements of the original profile used by the target app.

Everything after the decryption step can be accomplished without a jailbroken device. A jailbreak is required to remove the AppleFairplay DRM by dumping/decrypting the signed app by patching into the device's runtime.

JAL
  • 41,701
  • 23
  • 172
  • 300
  • It is not possible to generate a provisioning profile matching the entitlements, as those are signed by Apple only. So when resigning, the entitlements are replaced with different entitlements that match the replacement provisioning profile. – Léo Natan Sep 08 '16 at 16:33
  • @LeoNatan Well don't the entitlements of the new provisioning profile used to resign the app need to match the entitlements in the profile signed by Apple? I guess that was what I was trying to say, I've been using [this guide](https://www.bishopfox.com/blog/2015/05/rethinking-repackaging-ios-apps-part-2/) for reference. – JAL Sep 08 '16 at 17:14
  • 3
    Entitlements are found in two places, the provisioning profile and the signed binary. The original entitlements need to be discarded, because they would require a provisioning profile and a certificate which you cannot obtain (original developer). Resigning works by replacing the provisioning profile, entitlements and certificate. – Léo Natan Sep 08 '16 at 17:17