How does iOS app DRM work, exactly?
When I purchase an app in iTunes on my Windows computer, I get an *.ipa file that is a self-contained iOS application package. I can browse the contents of these IPA files with 7-Zip and even extract resources and other details, which suggests these IPA files aren't encrypted at all.
So if they aren't encrypted, how does DRM work? What's stopping me from copying an IPA file to someone else's computer and importing the IPA into iTunes and then installing it on someone else's device?
Also, can someone please confirm that so long as I keep the IPA file I will be able to install it to my iDevices (under the same Apple ID, of course)? I'm just concerned that in future an app might be updated to remove features or might even be pulled from the app store completely.
Solution 1:
Actually, it works more like SSL. Upon signing up for an Apple account Apple generates a Public/Private Key pair for your username. It then gives you your private key and it keeps your public. (That's why when you first buy or when you restore your iDevice you must activate it with your iTunes account). Upon activation it transfers your private key to your iDevice. Basically what happens is when you buy an app (free or paid) Apple generate a 4096 byte long header that is encrypted with your public key.
If you have any understanding of Public/private keys, the public key can encrypt for it's private pair... For example I would use a servers public key to encrypt data to send to the server. The server would then use it's private key to decrypt it. When it wants to send data back, it uses my public key to encrypt the data and I use my private key to decrypt it! Public keys can only encrypt data and cannot decrypt and vice-versa for private keys.
When you download your app it has a header encrypted with your public key. Only your private key can decrypt the header embedded in the app. So for example, if I copied an IPA generated for you, and put it on my iDevice (this is assuming you can get It there, iTunes would refuse to sync it anyway), and then I tried to run it, it would simply crash because my private key wouldn't be able to decrypt the header! Also its worth noting that the IPA file (an IPA is essentially a zip file that's been renamed) doesn't have the header, if you take a look at the contents of an IPA you will realize that it contains an extension-less file, take Facebook's app for example, it would have a file named 'Facebook'. This is the app's binary, and this is the file that has the encrypted header in it.
Yes, as stated above your apps will continue to run so long as you can remember your Apple ID as the iDevice (and iTunes) does NO signature checking with iTunes what-so-ever! This means you can install removed apps and also sync older IPAs to your device so long as they are yours and you still have the IPA indefinitely!