iOS Question Does an ipa have a readable signature

[JackKirk]

Does an ipa have a signature readable from the app - similar to this in B4A:

https://www.b4x.com/android/forum/threads/get-the-apk-signature-at-runtime.70490/#content

Thanks...

 

[Erel]

No.

 

[JackKirk]

What about the Team ID you have just helped me with here:

https://www.b4x.com/android/forum/threads/extract-team-id.79245/#post-501910

I'm looking for a way to deter some low life repackaging my iOS app - I can use such a signature to encrypt some bits of the app which would render it useless if the signature changed.

 

[Erel]

This is just a string. Anyone can add such a string to the project.

You can get the CFBundleIdentifier (package name). It is unique to your app.

Change one of the subs here to return it: https://www.b4x.com/android/forum/threads/packagemanager.47028/#post-290779

 

[JackKirk]

CFBundleIdentifier seems to just give me whatever I have entered at [Project] > [Build Configurations] > [Package:] - can't see this as being unique to the version of the app.

Any other suggestions?

 

[Erel]

What are you trying to protect from?

 

[JackKirk]

I'm trying to protect from someone modifying and/or repackaging and putting on a site like Cydia.

Also I have some components of the app that I consider proprietary - can you tell me just how exposed they are to someone lifting them and using them in their own apps.

 

[Erel]

Generally speaking, iOS apps are more difficult to decompile than Android apps.
You can use this code to calculate the signature of the embedded provision profile:

#if Relesae
   Dim b() As Byte = Bit.InputStreamToBytes(File.OpenInput(File.DirAssets, "embedded.mobileprovision"))
   Dim md As MessageDigest
   Dim bc As ByteConverter
   Dim hex As String = bc.HexFromBytes(md.GetMessageDigest(b, "SHA-256"))
   Log(hex)
   Page1.Title = hex
#end if

A determined hacker will be able to remove the check or modify it as needed.

 

[JackKirk]

Erel,

Many thanks for your forbearance - I take it this will change if the hacker inserts or removes anything from the app and / or resigns it?

 

[Erel]

A hacker will not be able to use your provision profile while signing the app. So the signature will be different.

Note that it will also be different when you compile it with a store provision so make sure to test it with the correct value. You can open the IPA file and then calculate the hash yourself.