应用套件保护-已签名的套件*可能*会被修改 [英] App bundle protection - signed bundle *may* be modified
问题描述
也许大家都知道,可以通过诸如iExplorer之类的工具轻松读取.app捆绑包(对于那些认为只有iTunes File Sharing允许访问iPhone上的数据的人感到惊讶)。也许您还阅读了《 iOS编程指南》的标题为首次启动时安装特定于应用程序的数据文件的部分。相关段落庄园:
Maybe you all know that .app bundle is easily accessible for reading via such tools like iExplorer (surpirise for those who thought only iTunes File Sharing allows to access data on iPhone). Maybe you've also read iOS Programming Guide, section entitled 'Installing App-Specific Data Files as First Launch'. Related paragraph estates:
...由于iOs应用程序已代码签名,因此修改捆绑软件中的文件会使应用程序的签名无效,并阻止您的应用程序将来启动。 ..
"... Because iOs apps are code signed, modifying files inside your bundle invalidates your app's signature and prevents your app from launching in the future. ..."
这是很明显的错误,至少在某种程度上。
That's obivously false, at least to some point.
我试图修改几个从AppStore购买了数个免费的第三方应用程序中的文件,并成功修改了多个文件的内容。 Voala,应用程序启动没有任何问题。事实是,我使用了上面提到的iExplorer,没有被黑客入侵,破解和越狱。只是可开发的设备,以及已发布,经过审核的应用程序。
I've tried to modify several files within SEVERAL free third-party apps purchased from AppStore and sucessfully modified content of several files. Voala, app launched without any problem. The thing is, that I've used iExplorer mentioned above, no hacking, cracking, jail-breaking. Just a development-enabled device, and published, reviewed apps.
我该怎么办?
推荐答案
仅当通过iTunes,Xcode,iPhone配置实用程序等在设备上将应用程序安装时,才验证代码签名。因此,编程指南的措辞是有点误导。
The code signing is only verified when the app is installed on the device through iTunes, Xcode, the iPhone Configuration Utility, etc. So the wording of the programming guide is a little misleading.
这可能会降低性能-那里有一些非常大的应用程序,每次启动时都必须验证所有应用程序资源的校验和。
This probably comes down to performance - there are some very large apps out there and having to verify the checksum of all the application's resources every time it is launched would take too long.
代码签名的目的并不是要真正防止篡改,而是要发现篡改。或更正确地说,这只是一种声明您使用这些特定资源构建此特定二进制文件的方法。攻击者可以根据需要完全删除代码签名。
And the point of code signing is not really to prevent tampering, but to detect tampering. Or more correctly, it's simply a way to state that you built this specific binary with these specific resources. The attacker could completely remove the code signing if they wanted.
因此,总会有方法修改应用程序的资源,甚至通过调试等方式编写代码。您无法真的可以避免这种情况。
So there will always be ways to modify an application's resources or even code through debugging, etc. You can't really protect against this.
这篇关于应用套件保护-已签名的套件*可能*会被修改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
