LiveContainer
Run unsigned iOS app without actually installing it!
- Allows you to install unlimited apps (10 apps limit of free developer account do not apply here!)
- Codesigning is entirely bypassed (requires JIT), no need to sign your apps before installing.
Building
export THEOS=/path/to/theos
make package
How does it work?
Patching guest executable
- Patch
__PAGEZEROsegment:- Change
vmaddrto0xFFFFC000(0x100000000 - 0x4000) - Change
vmsizeto0x4000
- Change
- Convert
MH_EXECUTEtoMH_DYLIB.
Patching @executable_path
- Call
_dyld_get_image_name(0)to get image name pointer. - Overwrite its content with guest executable path.
Patching NSBundle.mainBundle
- This property is overwritten with the guest app's bundle.
Bypassing Library Validation
- Derived from Restoring Dyld Memory Loading
- JIT is required to bypass codesigning.
dlopening the executable
- Call
dlopenwith the guest app's executable - Find the entry point
- Jump to the entry point
- The guest app's entry point calls
UIApplicationMainand start up like any other iOS apps.
Limitations
- Entitlements from the guest app are not applied to the host app. This isn't a big deal since sideloaded apps requires only basic entitlements.
- App Permissions are globally applied.
- Guest app containers are not sandboxed. This means one guest app can access other guest apps's data.
- arm64e is untested. It is recommended to use arm64 binary.
- Only one guest app can run at a time. This is much more like 3 apps limit where you have to disable an app to run another (switching between app in LiveContainer is instant).
- Remote push notification might not work.
If you have a paid developer account then you don't even have to use LiveContainer - Querying URL schemes might not work(?)
TODO
- Handle fat binary
- Isolating
NSFileManager.defaultManagerandNSUserDefaults.userDefaults - Auto lock orientation
- Simulate App Group(?)
- More(?)