Need help with code signing in iOS!

Well this one is driving me crazy so better ask for some help before I fire the big guns and go commando mode with this 🙂

I’m trying to patch iOS apps so I can remove “spyware” and other stuff. Newest iOS versions require all code to be signed. This article by Saurik talks about 3 different ways to workaround this problem without a developer certificate (an idea that crossed my mind is to configure the kernel only to accept Apple’s certificates and my certificate, to avoid rogue stuff like worms [I have to see if code signing is effective against code injection for example]). I don’t like number 3 due to associated security problems so I have to work with the other two. The first problem is that the available ldid seems to have some problems with armv7 binaries (iPad and iPhone4?) – a fixed version that runs in OS X is available here. I try to resign/add new signature to the modified binaries but the checksums don’t change so ldid doesn’t seem to work. I can sign the binaries without any problem in OS X using a self signed certificate. But here lies my problem. Let me describe my scenario…

I have an unencrypted app running. I copy the main binary to OS X and patch whatever I want. I resign the binary (method #1 or #2) and replace it in the iPad. I try to run the binary and iOS refuses to do so. If I remove the kernel flag (#3) it works so there aren’t problems with the binary itself. Restore the kernel flag, kill the process, try to run again and it refuses.
So I did another test. Since I have the ipa file for the unencrypted app, I replace the binary inside it with my newly patched one, delete the app from iPad and iTunes, and install the new modified ipa. Try to run the newly installed modified app and it works! WTF ?

I had read somewhere about iTunes adding something to the keychain (I memorized one thing, that iOS keychain was very simple with just three methods available) when apps were synced/installed (I can’t seem to find back this article – !#&%”#/&%#”&”#&!#!!!). My test appears to confirm something like this else the new modified app would also fail.

So my question is if it’s possible to modify the main binary and resign it, without having to reinstall the whole app again. Am I missing something? I can’t seem to find any valuable info about this.

Anyway, contrary to what I thought, might be very interesting related to protections and other tricks. The following links, 1 2 3 4, show that there are possibilities to implement protections. My (wrong!) idea was that Apple didn’t allow this kind of stuff in the app approval process. Well that PiOS article and this presentation changed this. It’s very possible to bypass Apple verification process and do something nasty into thos iOS devices (I’m worried regarding corporate security and my personal stuff :-)). Well, to my defense, I must say that I always found intriguing how Apple could, efficiently, verify throughly all the code for each app – that never added into my mind but I never bothered to check heehheh.

Update: Found a pretty interesting presentation from Hack in the Box 2010 about iPhone security model.

13 thoughts on “Need help with code signing in iOS!

  1. when you run the binary for the first time, the code directory hash is cached in the kernel by AMFI, and if you the modify the file this isnt updated. So next time you run it the kernel will kill it because the code directory check will fail. The solution would be to delete the executable file before replacing it (no need to delete the whole app)

    1. Many thanks for the answer! That is logical since there is other cached stuff 🙂 I will certainly not forget about the possibility of cache in future problems hehehe!

      Thanks again 🙂

    2. Unfortunately, this does not work for me. Even when I just install a package, update the executable file with my own version and run it, iOS just kills it. Am I doing something wrong?

      What is AMFI and how its cache could be cleared?

      1. That’s the behavior I was experiencing. Did you deleted the executable and copied the updated version or just copied/moved over the old one?

        Cache should probably be based on “inodes” or whatever is equivalent in HFS+.

          1. Humm I think I never tried the process since I got busy with OS X stuff. Maybe you should try to touch the parent directories and see if it works?

  2. Tried. Recreated directory completely. It might be that this solution does not work for my task, because I am patching an application which is installed by Cydia and it does not have its own _CodeSignature directory (as I can guess this was your case)

    1. Not sure if that’s the case because all commands have code signatures (ls for example). Have you tried to disable the kernel flag and enable all code to run just to make sure everything is ok with that binary?

Leave a Reply

Your email address will not be published. Required fields are marked *