Mobile Application Security: Application Format

1/13/2011 9:15:21 AM
In contrast to OS X, the iPhone platform does not use an intermediate compression format for applications such as DMG or StuffIt—and of course, there is no concept of “Universal” binaries. Rather, they are distributed directly as an application bundle. In this section we take a closer look at the build and packaging characteristics of iPhone applications, as well as code signing and distribution.

Build and Packaging

Applications are compiled via Xcode similarly to OS X applications, using the GNU GCC compiler, cross-compiled for the ARM processor of the iPhone device, as well as for the local machine, to run in the emulator. Each application bundle includes a unique application ID, a plist of entitlements and preferences, a code signature, any required media assets or nib files, and the executable itself.

As with an OS X application, bundles must include an Info.plist, which specifies the majority of the metadata about the application. Every Xcode-created project will include an Info.plist under the Resources hierarchy. One or more preference plists (Root.plist) can be included for application-specific preferences.

Distribution: The Apple Store

Apple’s Application Store was the first user experience that made acquiring mobile applications a simple task. Apple exercises total control over the content of the Application Store; all iPhone applications must be approved prior to distribution, and can be revoked at Apple’s discretion. The rules for forbidden applications are something of a moving target, and therefore are difficult to enumerate. However, with the advent of iPhone OS 3.0, Apple seems to be making moves to loosen these restrictions.

Although there are many disadvantages to this approach, it does mean that the App Store serves as a security boundary. Programmatic security mechanisms for applications running on the iPhone OS are fairly lax, but Apple can rein in developers behaving in a deceptive or malicious fashion by refusing to publish their applications or revoking them from the store.

In the event actively malicious software does make it through the App Store, a second approach, albeit one that has yet to be used by Apple, is a “kill switch” allowing the blacklisting of applications after install. Although there were some initial worries that Apple would be using this to actively disable software it didn’t like, this has not been the case to date.

Thus far, using Apple itself as the gatekeeper and security boundary for iPhone applications has had good results—except for developers, some of whom have had wait times of up to six months just to get an application accepted. With the sheer number of new iPhone applications appearing on a daily basis, it’s not unlikely that more OS-based security features will be used more actively in the future to smooth out the application-vetting process.

Code Signing

iPhone applications must be signed by a valid code-signing certificate. Some applications, notably ones that use the Keychain or cryptography primitives, are designed only to be run on an actual device, rather than an emulator. To obtain a code-signing certificate, use the Keychain Access tool to create a Certificate Signing Request (CSR), as described in Apple’s Code Signing Guide (see Once the certificate has been issued (a fairly quick process), you can import the certificate into your Keychain.

If you don’t have a membership with the iPhone Developer Program, it is still possible to use self-signed certificates to sign applications. However, this involves disabling security checks in the device, which is ill-advised for devices that aren’t used solely for development. For more information on the mechanisms behind Apple signature verification and how to bypass them, see Jay Freeman’s page at

Executing Unsigned Code

As mentioned before, third-party iPhone applications existed before the App Store. On “jailbroken” phones, using Cydia and Installer are the two most popular ways to install unauthorized third-party software. Even without submitting your packages to a public repository, you can still execute unsigned code on your device.

Once jailbroken, the iPhone can run an SSH daemon that can be used to copy unsigned applications onto the device. These applications can even run outside of the default Apple sandboxing policies. To sideload your sneaky, illicit iPhone application onto a device, you can perform the following steps:

  1. Using Cydia, install the BSD Subsystem and OpenSSH packages.

  2. Find the IP address of your iPhone by examining the Network Settings panel.

  3. Using your OS X machine, open the Terminal application.

  4. Type ssh root@, where is the IP address of your phone. When asked for a password, enter alpine.

  5. The first order of business should be to change the device’s root password. Enter the command passwd to do this.

  6. You can now copy your application to the device. To do this, archive the application on your OS X machine using tar -cvzf myapp.tar.gz MyApp, where MyApp is the application bundle.

  7. Copy the bundle to the device using scp myapp.tar.gz root@

  8. Once the archive is copied over, ssh back into the iPhone and cd to the Applications directory.

  9. Execute tar -xvzf myapp.tar.gz. The application will be extracted.

  10. Restart your springboard (with BossPrefs, for example) or reboot your device. Your application should appear on the springboard.

  •  Mobile Application Security: Security Testing
  •  Mobile Application Security: The Apple iPhone - Development
  •  Building Android Apps : Installing KiloGap in the Emulator
  •  Building Android Apps : Build KiloGap
  •  Building Android Apps: Create an Android Virtual Device
  •  Building Android Apps: Going Native - Setting Up the Environment
  •  Building Android Apps: Introduction to PhoneGap
  •  iPhone Application Development : How Xcode and Interface Builder Implement MVC
  •  iPhone Application Development : Understanding the Model-View-Controller Paradigm
  •  Building Android Apps: Going Offline - Debugging
  •  Building Android Apps: Creating a Dynamic Manifest File
  •  Building Android Apps: Online Whitelist and Fallback Options
  •  The Basics of the Offline Application Cache
  •  Building Android Apps: Web SQL Database (part 4) - Deleting Rows
  •  Building Android Apps: Web SQL Database (part 3) - Selecting Rows and Handling Result Sets
  •  Building Android Apps: Web SQL Database (part 2) - Inserting Rows
  •  Building Android Apps: Web SQL Database (part 1) - Creating a Database
  •  Building Android Apps: Web Storage
  •  Building Android Apps : Simple Bells and Whistles
  •  Building Android Apps : Traffic Cop
    Top 10
    Nvidia Quadro K5000 Professional Graphics Card (Part 4)
    Nvidia Quadro K5000 Professional Graphics Card (Part 3)
    Nvidia Quadro K5000 Professional Graphics Card (Part 2)
    Nvidia Quadro K5000 Professional Graphics Card (Part 1)
    Mains Cables R US MCRU Music Server - The Mains Thing (Part 2)
    Mains Cables R US MCRU Music Server - The Mains Thing (Part 1)
    Merlin Music TSM MMM Speakers (Part 2)
    Merlin Music TSM MMM Speakers (Part 1)
    System Audio Aura 1 Bookshelf Loudspeaker (Part 2)
    System Audio Aura 1 Bookshelf Loudspeaker (Part 1)
    Most View
    Windows System Programming : Example: Listing File Attributes & Setting File Times
    Windows Azure : Messaging with the queue - Patterns for message processing
    Samsung Galaxy SIII And HTC One X: A Detailed And Thorough Comparison
    Canon EOS 650D: entry-level DSLR with vari-angle capacitive touchscreen
    Windows 7 : Working with the Printer Queue
    Microsoft Sued Comet For Making 94,000 Copies Of Counterfeit Windows
    How To Share Your Shots With Us!
    Asus Vivobook S200E - Stunning Looks And Great Features
    Windows 7 : Working with Multiple Local Group Policy Objects
    Choose The Right Business Broadband (Part 2)
    Network Attached Storage Round-Up (Part 1) - The Benefits Of A NAS
    The best browser hacks (part 1) - Mozilla Firefox
    AG Neovo U-23 : monitor with a 1920x1080 Full HD resolution
    Apple Society – Less Never More
    Educational Software Tools (Part 2)
    Programming Microsoft SQL Server 2005: Using Data Mining Extensions (part 1) - Data Mining Modeling Using DMX
    On Test - Postcard Apps (Part 1)
    100 Ways To Speed Up Windows (Part 4)
    Windows Vista : Permissions and Security (part 1) - Set Permissions for a File or Folder
    .NET Debugging : PowerDbg (part 2) - Send-PowerDbgCommand & Extending PowerDbg