Skip to main content

Overview

iOS applications are distributed as application bundles with a .app extension. Understanding the internal structure of these bundles is fundamental to iOS reverse engineering, as it reveals how apps are organized, what resources they contain, and how they’re configured.

App Bundle Structure

An iOS app bundle is a directory with a specific structure that contains the executable binary, resources, and metadata required to run the application. iOS App Bundle and Mach-O Structure

Key Components

The main executable file, typically sharing the app’s name, is a Mach-O binary containing the compiled application code. This file is located at the root of the bundle.
MyApp.app/MyApp
The executable contains all compiled code including:
  • Objective-C and Swift implementations
  • C/C++ code
  • Framework and library code (if statically linked)
The Info.plist file contains essential metadata about the application including bundle identifier, version, supported devices, and required capabilities.Info.plist file opened in editorKey properties include:
  • CFBundleIdentifier: Unique app identifier (e.g., com.company.appname)
  • CFBundleExecutable: Name of the executable binary
  • CFBundleVersion: Build version number
  • CFBundleShortVersionString: User-facing version string
  • MinimumOSVersion: Minimum iOS version required
  • UIDeviceFamily: Supported device types (iPhone, iPad)
The embedded.mobileprovision file contains the provisioning profile used to sign the application, including:
  • Developer/distribution certificates
  • Allowed device UDIDs (for development builds)
  • App entitlements
  • Expiration date
MyApp.app/embedded.mobileprovision
The _CodeSignature directory contains files that verify the integrity and authenticity of the application:
MyApp.app/_CodeSignature/CodeResources
The CodeResources file contains hashes of all files in the bundle to detect tampering.

Resources and Assets

iOS apps contain various resource types that need to be understood during reverse engineering:

Asset Catalogs

MyApp.app/
├── Assets.car           # Compiled asset catalog
├── [email protected]  # App icons
└── LaunchImage.png      # Launch screen assets

Localization Resources

Localized strings and resources are stored in .lproj directories: 
MyApp.app/
├── en.lproj/
   ├── Localizable.strings
   └── Main.storyboard
└── es.lproj/
    ├── Localizable.strings
    └── Main.storyboard
Examining localization files can reveal feature names, error messages, and UI text that provide insight into app functionality.

Interface Files

Storyboards (.storyboard or .storyboardc when compiled) define the app’s user interface and navigation flow.
MyApp.app/Base.lproj/Main.storyboardc/
Compiled storyboards can be inspected using tools like ibtool or reverse engineered to understand UI structure.

Configuration Files

Property Lists

Beyond Info.plist, apps may contain additional property list files:

Settings Bundle

Settings.bundle contains app preferences displayed in the iOS Settings app.

URL Schemes

Defined in Info.plist under CFBundleURLTypes, revealing deep linking capabilities.

Entitlements

Special permissions and capabilities defined in the code signature.

App Transport Security

Network security settings in NSAppTransportSecurity key.

Frameworks and Libraries

Applications may embed private frameworks and dynamic libraries: 
MyApp.app/
├── Frameworks/
   ├── CustomFramework.framework/
   ├── CustomFramework (Mach-O binary)
   ├── Info.plist
   └── Resources/
   └── ThirdParty.framework/
└── PlugIns/
    └── Extension.appex/
Embedded frameworks are common in apps using third-party SDKs or modular architectures. Each framework is itself a bundle with its own Mach-O binary.

Inspecting App Bundles

Using Command Line Tools

1

Extract IPA file

unzip MyApp.ipa -d MyApp_extracted/
cd MyApp_extracted/Payload/MyApp.app/
2

List bundle contents

ls -la
3

Examine Info.plist

plutil -p Info.plist
# or convert to XML for easier reading
plutil -convert xml1 Info.plist
4

Check code signature

codesign -d --entitlements - MyApp

Using Reverse Engineering Tools

# Display Mach-O header
otool -h MyApp

# List load commands
otool -l MyApp

# Show shared libraries
otool -L MyApp

Practical Example

Examining the example apps in the project: 
# Extract an example IPA
unzip ~/workspace/source/ObfuscatedAppExamples/NoTampering.ipa -d /tmp/analysis/

# Navigate to app bundle
cd /tmp/analysis/Payload/*.app/

# Check bundle identifier and version
plutil -p Info.plist | grep -E "CFBundle(Identifier|Version)"

# List all resources
find . -type f | head -20

# Examine the main executable
file NoTampering
otool -h NoTampering
Always work with copies of IPA files and app bundles. Modifying the original bundle will invalidate the code signature.

Next Steps

Mach-O Format

Dive deep into the Mach-O executable binary format.

Code Signing

Learn how iOS code signing protects app integrity.

Entitlements

Understand app permissions and capabilities.

IPA Files

Learn about IPA file structure and extraction.

Build docs developers (and LLMs) love

Get started for freeTalk to us