Modify and resign your existing IPA and APK

Joris Verbogt
May 8 2020
Posted in Engineering & Technology

Easily create a new app from an existing binary

You might find yourself in a situation where you need to modify assets, keys, styles or typos in string resources, but you don't have access to the original source code that was used to build the app.

In this blog post we will show you some examples of tools and utilities that you can use to update the contents of your application packages and sign them again without the need for changes in code.

What is an .ipa file?

An IOS AppStore Package file is simply a ZIP archive that contains binary code for the application and optional extensions as well as assets and resources that are required by the app. This includes Storyboards, Managed Models, Localizable strings, Icons and Property Lists. It also contains the app's provisioning profile.

This folder structure is then cryptographically signed with the appropriate key from your Developer profile.

Example: change values in Info.plist

Let's say your app is called Demo but you want to show it in the phone's list of apps as My Demo

iOS App Demo

We're assuming here you have the .ipa that is used to be distributed to your device.

First, unzip the IPA in a newly created folder

mkdir demo
cd demo
unzip ../demo.ipa

Then, change the Info.plist value using the PlistBuddy tool that comes with MacOS

/usr/libexec/PlistBuddy -c 'Set :CFBundleDisplayName My Demo' Payload/hybrid.app/Info.plist

Check if it was changed

/usr/libexec/PlistBuddy -c 'Print :CFBundleDisplayName' Payload/hybrid.app/Info.plist

Now, you need to remove the existing code signature

rm -rf Payload/hybrid.app/_CodeSignature

And sign the folder structure again with your identity, which can be found with the security command, for example:

security find-identity

Policy: X.509 Basic
  Matching identities
  1) 5DCA8462F8D09FDE59AB0AF172612BD74CFDBDB8 "iPhone Distribution: Notificare B.V."
     1 identities found

  Valid identities only
  1) 5DCA8462F8D09FDE59AB0AF172612BD74CFDBDB8 "iPhone Distribution: Notificare B.V."
     1 valid identities found

Choose the appropriate identity, and sign your IPA's folder structure, using the entitlements that are found in the payload

codesign -d --entitlements :entitlements.plist Payload/hybrid.app/
codesign -f -s 'iPhone Distribution: Notificare B.V.' --entitlements entitlements.plist

Finally, you need to zip it to an .ipa file

zip -qr signed.ipa Payload

The resulting signed.ipa file can then be distributed and installed on your device.strings

Your app is now called My Demo

iOS App My Demo

What is an .apk file?

An Android Application Package has a similar structure. It is also a ZIP archive, but contains encoded formats of resources, as well as compiled classes of your app's code. It is also cryptographically signed with the appropriate key from your application's keystore.

Example: change a string value resource

Let's say you find a typo in your app where it says 'About this aplication' and you want to fix that missing 'p'.

Android App with typo

First, you need to get the .apk. In Android, you can retrieve any APK from any app from your device with the adb tool.

adb shell pm path re.notifica.demo
package:/data/app/re.notifica.demo-LPJCf_xEWuRq9ELBEVwWAw==/base.apk
adb pull /data/app/re.notifica.demo-LPJCf_xEWuRq9ELBEVwWAw==/base.apk
mv base.apk demo.apk

The APK now needs to be unpacked into a folder structure where you can change the files. For this, there is an excellent tool called apktool, which can be found for download at the tool's website or via Homebrew

brew install apktool

Use the decode command to extract the files from the APK

apktool d demo.apk

This will unpack your demo.apk into a folder demo.

Now, search for the typo

cd demo
grep aplication res/values/strings.xml
    <string name="settings_section_title_others">About this aplication</string>

and change it

sed -i -e 's/aplication/application/' res/values/strings.xml

Now it's time to reconstruct your APK

cd ..
apktool b demo -o app.apk

And sign it with the appropriate key from your keystore

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -sigfile CERT -keystore keystore.jks app.apk demo
Enter Passphrase for keystore:
jar signed.

Finally, for the APK to work on Android, it needs to be aligned to 4-byte boundaries. For that you need to use the zipalign utility that comes with your Android SDK build tools.

~/Library/Android/sdk/build-tools/29.0.3/zipalign -f 4 app.apk signed.apk

Depending on your install, you might need to change to the correct path for your build tools

The resulting signed.apk can be used to distribute and install on your device

adb install signed.apk

And you will see the typo is fixed

Android App fixed

Limitations

The above tools and strategies work well for applications that have a distribution outside of the AppStore (i.e., Enterprise builds) and GooglePlay. There are a lot of extra steps involved before your app appears on the stores and mangling with binaries will likely not pass the review process of Apple.

Furthermore, these tools do not work with store-side signing, such as is available in GooglePlay. The example also does not work with v2 APK formats.

Needless to say, manipulating property lists and codesigning your IPA can only be done on a MacOS machine.

Want to see it in action?

At Notificare, we use these techniques to automatically generate a Demo app when a trial account is created. Please try it yourself and sign up for a free 30-day trial. Any questions? We are always available via our Support Channel.

Keep up-to-date with the latest news