Sideloading feature on iOS 9 and recent release of F.lux for iOS might lead to piracy on iOS without jailbreak

A. Vatsaev
Nov 13, 2015 · 3 min read

With latest Apple’s iOS 9 update, developers are no longer required to have a Developer Certificate to test their apps on real devices. Which is great, especially for students and beginners who want to learn iOS programming but don’t necessarily want to pay $100/year to be able to test their work.

This alone doesn’t enable piracy, but the recent release of F.lux for iOS revealed a method of installing any iOS app/game on iOS9 without jailbreak.

F.lux recently published their iOS app as an Xcode project for people to sideload, apparently disclosing the source code in the Xcode project wasn’t an option, so they did it by precompiling the app into an IPA archive, and putting it into an empty Xcode project, Apple contacted them shortly after and they pulled the app from their website.

Apple has contacted us to say that the f.lux for iOS download (previously available on this page) is in violation of the Developer Program Agreement, so this method of install is no longer available.

We understood that the new Xcode signing was designed to allow such use, but Apple has indicated that this should not continue.

The real reason for this was more than a simple violation of Developer Program Agreement. By removing the precompiled F.lux IPA from the Xcode project and replacing it with the contents extracted from the IPA archive of another iOS app, Xcode can install it on a device running iOS 9 (or 9.1).

This is what the F.lux Xcode project looks like:

Notice the iflux file which is precompiled F.lux IPA

By replacing everything selected with the contents of any other app, I was able to run them on my iPhone in one click (I was terrified after realising how easy it was).

I re-tested with a few other apps just to be sure I wasn’t hallucinating, and each time I was able to install and run them on my iPhone without any errors.

Of course I deleted the apps right after making sure they launch successfully.

I’m pretty sure this wasn’t F.lux’s initial intention, all they wanted was to get their wonderful app out there without revealing their intellectual property. But until Apple fixes this problem we might see people taking advantage of the situation by installing paid apps on their devices without buying them on the App Store, a lot of developers will be loosing money.

This also means that Apple will not take any more risks and remove the sideloading feature completely from iOS and Xcode.

EDIT: You still need to sign the application, my Xcode project was configured to not use a Signature, but turns out build settings section automatically sets a Certificate to run the app on the device. Sorry for the misinformation.

Research & Development engineer at IRCAD — IHU. Mobile & Web Engineering.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade