Add support for iOS apps
This has been discussed before and I think everybody would like to support this, but so far nobody had the necessary expertise or time to look into this (including me).
I did some research and it looks like this is a lot more difficult on iOS than it is on Android. I'm opening this issue to have a place where we can discuss the steps necessary to make this happen (or if there are any viable alternatives while this is being worked on in the open source community).
Steps necessary for reproducibility
- Get .ipa file from App Store
- Set up build environment that can build an iOS app
- Get diff of the 2 outputs
This sounds simple enough, but as far as I've read there are a couple of issues.
Telegram has written an article about how they do it (basically what I summarised below in a bit more detail). Sadly it looks like "Step 9. Downloading a decrypted version of the app from the App Store" as been left out, possibly for legal reasons? Telegram Reproducible Builds.
1. Get .ipa file from App Store
It is not trivial to get the .ipa file from the App Store. It seems that the only way is by installing the app on an iPhone, then copying it to the computer using the "Apple Configurator 2" source
The problem with this approach seems to be that Apple encrypts the binaries after developers submit them to the App Store (some DRM protection). So by default, the binaries will never match. From what I've read, the only way to decrypt the binaries is to run the app and extract it from a jailbroken iPhone.
2. Set up build environment that can build an iOS app
Because iOS apps need to be built on a Mac, we cannot provide a Docker Container as we have for Android. Best we could do is provide a Parallels / VM Ware / Virtual Box image that people can use to build the app (but besides the obvious security risks, I'm not even sure if this is legal).
So reproducers would probably have to set up their own build environment, either on a host Mac directly or setting up a virtualised environment themselves.
3. Get diff of the 2 outputs
After the decrypted binaries from step 1. are extracted, analysing the diff output should be pretty straight forward.
Alternatives
Using Ad Hoc Certificates
.ipa
s can be distributed through a regular website see this StackOverflow post. But it seems the devices that use the app have to be whitelisted.
So this would only be a viable solution for smaller apps (if it's even allowed).
Links
Signal GitHub Issue
German Coronavirus App GitHub Issue
Telegram Reproducible Builds