IPA File Format

Overview

An IPA (iOS App Store Package) file is the file format used to distribute iOS applications. Despite its .ipa extension, it’s actually a ZIP archive with a specific internal structure mandated by Apple. Understanding IPA files is the first step in iOS reverse engineering.

IPA stands for iOS App Store Package, though the format is used for all iOS app distribution methods, not just the App Store.

IPA File Structure

An IPA file is a ZIP archive containing the app bundle and metadata:

MyApp.ipa (ZIP archive)
├── Payload/
│   └── MyApp.app/              ← The app bundle
│       ├── MyApp               ← Mach-O executable
│       ├── Info.plist          ← App metadata
│       ├── embedded.mobileprovision
│       ├── _CodeSignature/
│       │   └── CodeResources
│       ├── Assets.car          ← Asset catalog
│       ├── Base.lproj/         ← Localization
│       ├── Frameworks/         ← Embedded frameworks
│       └── PlugIns/            ← App extensions
├── iTunesArtwork              ← App icon (512x512)
├── iTunesArtwork@2x           ← App icon (1024x1024)
├── iTunesMetadata.plist       ← App Store metadata
└── META-INF/                  ← Distribution metadata
    └── com.apple.ZipMetadata.plist

Key Components

Payload Directory

Contains the main application bundle (.app).Always exactly one .app bundle inside the Payload/ directory.

# List Payload contents
unzip -l MyApp.ipa | grep "Payload/"

This is the actual application that gets installed on the device.

iTunesArtwork

High-resolution app icons (without file extension).

iTunesArtwork: 512x512 PNG
iTunesArtwork@2x: 1024x1024 PNG

# Extract and view
unzip MyApp.ipa iTunesArtwork
file iTunesArtwork
# Output: PNG image data, 512 x 512, 8-bit/color RGBA

These files can be renamed with .png extension to view as regular images.

iTunesMetadata.plist

App Store metadata including:

Bundle identifier
App version
Purchase date and price
Apple ID of purchaser
Artist/developer name

# Extract and view
unzip -p MyApp.ipa iTunesMetadata.plist | plutil -p -

Only present in App Store downloads, not in development or ad-hoc builds.

META-INF Directory

Contains distribution metadata in com.apple.ZipMetadata.plist.This includes:

Compression information
File ordering hints
iOS-specific ZIP metadata

unzip -p MyApp.ipa META-INF/com.apple.ZipMetadata.plist

Types of IPA Files

iOS apps can be packaged in different ways depending on distribution method:

App Store
Ad Hoc
Development
Enterprise

Downloaded from Apple’s App StoreCharacteristics:

Encrypted with Apple’s FairPlay DRM
Includes iTunesMetadata.plist
Distribution certificate signature
No device restrictions
Must be decrypted before analysis

# Check encryption
otool -l MyApp.app/MyApp | grep -A 5 LC_ENCRYPTION_INFO
# cryptid 1 = encrypted

App Store IPAs must be decrypted using a jailbroken device before reverse engineering.

Enterprise or internal distributionCharacteristics:

Not encrypted
Signed with distribution certificate
Device UDIDs in provisioning profile (up to 100)
No iTunesMetadata.plist
Ready for analysis

# Check provisioning profile
security cms -D -i embedded.mobileprovision | \
  plutil -extract ProvisionedDevices xml1 -o - -

Built by developers for testingCharacteristics:

Not encrypted
Development certificate signature
get-task-allow entitlement present
Device UDIDs in profile
Debugger can attach

# Check for debug entitlement
codesign -d --entitlements :- MyApp.app/MyApp | \
  grep "get-task-allow"

Development builds are ideal for reverse engineering as they allow debugger attachment.

Extracting IPA Files

Basic Extraction

Unzip the IPA

# Create extraction directory
mkdir MyApp_extracted

# Extract IPA
unzip MyApp.ipa -d MyApp_extracted/

# Navigate to app bundle
cd MyApp_extracted/Payload/MyApp.app/

Examine contents

# List all files
ls -la

# Find large files (frameworks, assets)
find . -type f -size +1M -exec ls -lh {} \;

# Count file types
find . -type f | sed 's/.*\.//' | sort | uniq -c | sort -rn

Verify app bundle

# Check binary architecture
file MyApp
lipo -info MyApp

# Verify code signature
codesign -dv MyApp

# Check Info.plist
plutil -p Info.plist

Selective Extraction

# Extract only the binary
unzip -j MyApp.ipa "Payload/MyApp.app/MyApp" -d /tmp/

# Extract Info.plist
unzip -j MyApp.ipa "Payload/MyApp.app/Info.plist"

# Extract provisioning profile
unzip -j MyApp.ipa "Payload/MyApp.app/embedded.mobileprovision"

Inspecting IPA Contents

Metadata Analysis

Info.plist
Provisioning Profile
iTunesMetadata.plist

Contains app configuration and metadata.

# Extract and view
unzip -p MyApp.ipa "Payload/*.app/Info.plist" | plutil -p -

# Key properties to examine:
# - CFBundleIdentifier: Bundle ID
# - CFBundleVersion: Build number
# - CFBundleShortVersionString: Version
# - MinimumOSVersion: Min iOS version
# - UIDeviceFamily: iPhone/iPad support
# - UIRequiredDeviceCapabilities: Required features
# - NSAppTransportSecurity: Network security settings
# - CFBundleURLTypes: URL schemes

Reveals signing and distribution details.

# Extract profile
unzip -p MyApp.ipa "Payload/*.app/embedded.mobileprovision" | \
  security cms -D -i - > profile.plist

# View profile
plutil -p profile.plist

# Check expiration
plutil -extract ExpirationDate xml1 -o - profile.plist

# List devices (dev/ad-hoc only)
plutil -extract ProvisionedDevices xml1 -o - profile.plist

# Extract entitlements
plutil -extract Entitlements xml1 -o - profile.plist

App Store purchase information.

# Only in App Store IPAs
unzip -p MyApp.ipa iTunesMetadata.plist | plutil -p -

# Reveals:
# - softwareVersionBundleId: Bundle ID
# - bundleShortVersionString: Version
# - artistName: Developer name
# - itemName: App name
# - purchaseDate: When downloaded
# - appleId: Purchaser's account (hashed)

Binary Analysis

# Identify file type
file Payload/MyApp.app/MyApp

# Check supported architectures
lipo -info Payload/MyApp.app/MyApp
# Output: Non-fat file: arm64

# Check encryption status
otool -l Payload/MyApp.app/MyApp | grep -A 5 cryptid

Resource Analysis

Asset Catalogs

Extract images from Assets.car

# Use third-party tools
acextract Assets.car -o assets/

Localization

Examine localized strings

# List languages
find . -name "*.lproj"

# View strings
plutil -p en.lproj/Localizable.strings

Storyboards/NIBs

UI definition files

find . -name "*.storyboardc"
find . -name "*.nib"

Databases

Embedded data files

# Find databases
find . -name "*.db" -o -name "*.sqlite"

# Inspect schema
sqlite3 data.db ".schema"

Working with Example IPAs

The project includes example obfuscated apps:

# List example IPAs
ls -lh ~/workspace/source/ObfuscatedAppExamples/

# ControlFlowFlattening.ipa - Control flow obfuscation
# NoTampering.ipa - Anti-tampering checks
# ObjectiveSwizzling.ipa - Method swizzling examples

Analyzing Example: NoTampering.ipa

Extract IPA

mkdir -p /tmp/notamper_analysis
unzip ~/workspace/source/ObfuscatedAppExamples/NoTampering.ipa \
  -d /tmp/notamper_analysis/
cd /tmp/notamper_analysis/Payload/*.app/

Examine metadata

# Check bundle info
plutil -p Info.plist | grep -E "CFBundle(Identifier|Version|Name)"

# View entitlements
codesign -d --entitlements :- NoTampering

# Check code signature
codesign -dv NoTampering

Analyze binary

# Check architecture
file NoTampering

# List symbols
nm NoTampering | grep -i "tamper"

# Search strings for anti-tampering
strings NoTampering | grep -iE "(debug|jail|tamper|crack)"

Inventory resources

# List all files
find . -type f | sort

# Check for embedded frameworks
ls -la Frameworks/ 2>/dev/null

# Find configuration files
find . -name "*.plist" -o -name "*.json" -o -name "*.xml"

Creating IPA Files

From App Bundle

Prepare app bundle

Ensure the app is properly signed and contains all required components.

Create Payload directory

mkdir Payload
cp -r MyApp.app Payload/

Create ZIP archive

zip -r MyApp.ipa Payload

Add optional metadata

# Add app icon (if available)
cp icon-512.png iTunesArtwork
cp icon-1024.png iTunesArtwork@2x

# Add to IPA
zip MyApp.ipa iTunesArtwork iTunesArtwork@2x

Using Xcode

# Build and archive
xcodebuild -scheme MyApp -archivePath MyApp.xcarchive archive

# Export IPA
xcodebuild -exportArchive \
  -archivePath MyApp.xcarchive \
  -exportPath . \
  -exportOptionsPlist exportOptions.plist

IPA Distribution Methods

App Store
TestFlight
Ad Hoc
Enterprise
Development

Official distribution through Apple’s App Store.

Requires App Store Connect submission
App Review required
Binary encrypted by Apple
Best for public apps

Security Considerations

When analyzing IPA files, be aware of:

Malware

IPAs from untrusted sources may contain malicious code.

Modified Apps

Re-signed apps may have injected code or removed security checks.

Privacy

iTunesMetadata.plist contains purchaser information.

Legal

Reverse engineering may violate terms of service or copyright law.

Useful Tools

Command Line
GUI Tools
Specialized

unzip        # Extract IPA files
file         # Identify file types
otool        # Mach-O inspection
codesign     # Signature verification
security     # Keychain & certificates
plutil       # Property list manipulation
class-dump   # Objective-C header extraction

Next Steps

iOS App Structure

Deep dive into the app bundle structure inside IPAs.

Code Signing

Understand how IPAs are signed and verified.

Mach-O Format

Learn about the executable binary format.

Static Analysis

Begin analyzing IPA contents for security research.

Get Started

Fundamentals

Analysis Tools

Analysis Techniques

Swift & Objective-C

Obfuscation

Overview

IPA File Structure

Key Components

Types of IPA Files

Extracting IPA Files

Basic Extraction

Selective Extraction

Inspecting IPA Contents

Metadata Analysis

Binary Analysis

Resource Analysis

Asset Catalogs

Localization

Storyboards/NIBs

Databases

Working with Example IPAs

Analyzing Example: NoTampering.ipa

Creating IPA Files

From App Bundle

Using Xcode

IPA Distribution Methods

Security Considerations

Malware

Modified Apps

Privacy

Legal

Useful Tools

Next Steps

iOS App Structure

Code Signing

Mach-O Format

Static Analysis

Build docs developers (and LLMs) love

Get Started

Fundamentals

Analysis Tools

Analysis Techniques

Swift & Objective-C

Obfuscation

​Overview

​IPA File Structure

​Key Components

​Types of IPA Files

​Extracting IPA Files

​Basic Extraction

​Selective Extraction

​Inspecting IPA Contents

​Metadata Analysis

​Binary Analysis

​Resource Analysis

Asset Catalogs

Localization

Storyboards/NIBs

Databases

​Working with Example IPAs

​Analyzing Example: NoTampering.ipa

​Creating IPA Files

​From App Bundle

​Using Xcode

​IPA Distribution Methods

​Security Considerations

Malware

Modified Apps

Privacy

Legal

​Useful Tools

​Next Steps

iOS App Structure

Code Signing

Mach-O Format

Static Analysis

Build docs developers (and LLMs) love

Overview

IPA File Structure

Key Components

Types of IPA Files

Extracting IPA Files

Basic Extraction

Selective Extraction

Inspecting IPA Contents

Metadata Analysis

Binary Analysis

Resource Analysis

Working with Example IPAs

Analyzing Example: NoTampering.ipa

Creating IPA Files

From App Bundle

Using Xcode

IPA Distribution Methods

Security Considerations

Useful Tools

Next Steps