I want to know the flow of execution of an IPA file

Question

I have an IPA file which contains info.plist, executable file, package.info, provision certificate, dynamic library, code resources etc. I want to know which file is executed first and in what order the execution takes place. I want to add some content to the IPA and for that I need to understand how the existing IPA works.

Thanks in advance.

Answer 1

An IPA file is simply a zip file of an application. It contains the binary itself, an Info.plist, codesigning files, icons, and other resources.

When you download an app from the AppStore, the IPA file is downloaded to /var/mobile/Media/Downloads along with a meta file. After it is fully downloaded, an installation daemon (installd) is run which extracts the IPA to /var/mobile/Applications/<UUID here>/. In this directory goes:

• The .app folder which contains all of the app's resources and the executable.
• A Documents folder for storing any type of file (read/write privelages).
• A Library folder for caching data and storing key/value data in plist format using NSUserDefaults (Library/Preferences/.plist).
• A tmp folder used to store temporary data. This folder's contents are removed when the app is not running.

The IPA file is then deleted, thus freeing up space by removing the application archive.

When SpringBoard (the homescreen app) is loaded, it reads the Info.plist of every app and caches it. From this, it gets the display name (name under icon), the icon itself, and the name of the executable, among other things.

When you click on the app's icon, SpringBoard displays the app's Default.png as a splash screen while the executable is loaded into memory. It is decrypted during this process, as every AppStore app is encrypted when it's signed by Apple. As soon as the executable is loaded in memory, dyld (the dynamic linker) loads any frameworks or libraries that it is linked against (such as UIKit, libobjc, libSystem, etc.). Apps cannot include any libraries of its own; the executable must be standalone. Then, the app's main() function is called, and the app's code is run.

There are a few things that you should know:

1. Modifying so much as a single byte in an app's executable file will invalidate the code signature, and the kernel will refuse to run the app.

2. Unless you are running on a jailbroken device, the executable file cannot be edited or modified, even at runtime. You cannot change the way that an application runs without running unsinged code in one way or another (binary modding or runtime dylib injection).

3. An IPA can only be installed by YOUR ACCOUNT. You cannot download an IPA and expect it to run. The code signature would be invalid.

4. It is not trivial to modify the way an application runs. Some apps store all of their configuration settings in a plist whose identity is not verified, but these apps are few and far between. The majority of apps will verify configuration or save files with a hashing algorithm (such as md5 or sha1), which makes it much more difficult to edit these files without having the app reject them. Many other apps simply don't use plists or other easily edited filetypes. They will either use a lesser known or proprietary format, or they will not use configuration files.

Understand what you're getting into before attenpting sonething. I am not discouraging you from trying; I'm just trying to help you understand the obstacles that must be overcome in order to pull this off.