Modify and resign your existing IPA and APK
Easily create a new app from an existing binary
You might find yourself in a situation where you need to modify assets, keys, styles or typos in string resources, but you don't have access to the original source code that was used to build the app.
In this blog post we will show you some examples of tools and utilities that you can use to update the contents of your application packages and sign them again without the need for changes in code.
What is an .ipa file?
An IOS AppStore Package file is simply a ZIP archive that contains binary code for the application and optional extensions as well as assets and resources that are required by the app. This includes Storyboards, Managed Models, Localizable strings, Icons and Property Lists. It also contains the app's provisioning profile.
This folder structure is then cryptographically signed with the appropriate key from your Developer profile.
Example: change values in Info.plist
Let's say your app is called Demo but you want to show it in the phone's list of apps as My Demo
We're assuming here you have the .ipa that is used to be distributed to your device.
First, unzip the IPA in a newly created folder
mkdir demo
cd demo
unzip ../demo.ipa
Then, change the Info.plist value using the PlistBuddy tool that comes with MacOS
/usr/libexec/PlistBuddy -c 'Set :CFBundleDisplayName My Demo' Payload/hybrid.app/Info.plist
Check if it was changed
/usr/libexec/PlistBuddy -c 'Print :CFBundleDisplayName' Payload/hybrid.app/Info.plist
Now, you need to remove the existing code signature
rm -rf Payload/hybrid.app/_CodeSignature
And sign the folder structure again with your identity, which can be found with the security
command, for example:
security find-identity
Policy: X.509 Basic
Matching identities
1) 5DCA8462F8D09FDE59AB0AF172612BD74CFDBDB8 "iPhone Distribution: Notificare B.V."
1 identities found
Valid identities only
1) 5DCA8462F8D09FDE59AB0AF172612BD74CFDBDB8 "iPhone Distribution: Notificare B.V."
1 valid identities found
Choose the appropriate identity, and sign your IPA's folder structure, using the entitlements that are found in the payload
codesign -d --entitlements :entitlements.plist Payload/hybrid.app/
codesign -f -s 'iPhone Distribution: Notificare B.V.' --entitlements entitlements.plist
Finally, you need to zip it to an .ipa file
zip -qr signed.ipa Payload
The resulting signed.ipa file can then be distributed and installed on your device.strings
Your app is now called My Demo
What is an .apk file?
An Android Application Package has a similar structure. It is also a ZIP archive, but contains encoded formats of resources, as well as compiled classes of your app's code. It is also cryptographically signed with the appropriate key from your application's keystore.
Example: change a string value resource
Let's say you find a typo in your app where it says 'About this aplication' and you want to fix that missing 'p'.
First, you need to get the .apk. In Android, you can retrieve any APK from any app from your device with the adb tool.
adb shell pm path re.notifica.demo
package:/data/app/re.notifica.demo-LPJCf_xEWuRq9ELBEVwWAw==/base.apk
adb pull /data/app/re.notifica.demo-LPJCf_xEWuRq9ELBEVwWAw==/base.apk
mv base.apk demo.apk
The APK now needs to be unpacked into a folder structure where you can change the files.
For this, there is an excellent tool called apktool
, which can be found for download at the tool's website or via Homebrew
brew install apktool
Use the decode command to extract the files from the APK
apktool d demo.apk
This will unpack your demo.apk into a folder demo
.
Now, search for the typo
cd demo
grep aplication res/values/strings.xml
<string name="settings_section_title_others">About this aplication</string>
and change it
sed -i -e 's/aplication/application/' res/values/strings.xml
Now it's time to reconstruct your APK
cd ..
apktool b demo -o app.apk
And sign it with the appropriate key from your keystore
jarsigner -sigalg SHA1withRSA -digestalg SHA1 -sigfile CERT -keystore keystore.jks app.apk demo
Enter Passphrase for keystore:
jar signed.
Finally, for the APK to work on Android, it needs to be aligned to 4-byte boundaries.
For that you need to use the zipalign
utility that comes with your Android SDK build tools.
~/Library/Android/sdk/build-tools/29.0.3/zipalign -f 4 app.apk signed.apk
Depending on your install, you might need to change to the correct path for your build tools
The resulting signed.apk can be used to distribute and install on your device
adb install signed.apk
And you will see the typo is fixed
Limitations
The above tools and strategies work well for applications that have a distribution outside of the AppStore (i.e., Enterprise builds) and GooglePlay. There are a lot of extra steps involved before your app appears on the stores and mangling with binaries will likely not pass the review process of Apple.
Furthermore, these tools do not work with store-side signing, such as is available in GooglePlay. The example also does not work with v2 APK formats.
Needless to say, manipulating property lists and codesigning your IPA can only be done on a MacOS machine.
Want to see it in action?
At Notificare, we use these techniques to automatically generate a Demo app when a trial account is created. Please try it yourself and sign up for a free 30-day trial. Any questions? We are always available via our Support Channel.