Inferring how MightySignal works

MightySignal is a really cool website that lets you know when an application installs or uninstalls an SDK. This is useful if you are running a business selling SDKs or other tools to developers. Rather than look up how it works, let’s do a little exercise to figure out how it might work.

If I were trying to figure out what SDKs were included in an app on iOS, I would probably find a way to unpack the .ipa file. (Open source apps don’t count. Let’s assumed closed source, otherwise the problem is trivial.) .ipa files are encrypted by default, if I recall correctly. But, once you decrypt them, it’s just a folder. MacOS does the same thing. Apps are really folders that include all of the necessary assets, as well as an executable. If there are external libraries, they should be included in the folder as well.

Assuming you can’t do that, you could do something like provide a vital service to developers. Provide a library to developers that they all need and benefit from. With developer consent, perform introspection on the application to see if you can detect the presence of other libraries. The only problem with this is that you would need to know something about those libraries. It’s also unclear if Swift provides the same level of introspection that objective C provided to iOS developers. That said, you can still use Objective-C just fine.

You might also snoop the traffic, but that is only going to let you know about libraries that are phoning home or otherwise dependent upon external services with a unique footprint. It’s most likely that MightySignal is downloading every App Store update, decrypting the applications, and then simply printing out the list of libraries in the application bundle.

Genius!