What’s in that app? A guide to app internal structure

Running executable code in macOS is fundamentally simple: all you need is a Mach-O binary file, as most command tools are. The snag is that has to be run from a command shell, or indirectly, and has no GUI. There are also plenty of things it can’t do, or needs more configuration to support. This article explains what goes into a modern app bundle, and why they’ve become so complex.

basicAppStructure

A basic non-App Store app consists of a structure of files and folders inside a folder named Contents, within the .app folder. These are:

The _CodeSignature folder containing the cdhashes for the app’s components, used by macOS to check that it hasn’t been tampered with in any way.
The CodeResources file, which contains the app’s notarization ticket, which is checked when it’s first run.
The Info property list, which is an essential list of settings for the app, including its version and build numbers.
The MacOS folder, containing the app’s main executable code which is launched when you run the app.
The PkgInfo file, eight bytes of legacy content identifying the app and its type in the same terms used in Classic Mac OS.
The Resources folder containing largely non-executable resources used by the app, such as its icons, window layouts, localised text, Help books, and anything else required. Occasionally scripts appear here, for example for uninstalling an app.

Apps provided through the App Store normally don’t have a CodeResources file, but contain another folder named _MASReceipt, which contains their App Store receipt, and is checked by the app when it’s launched. Some notarized apps don’t come with a CodeResources file either, and their notarization has to be checked online by macOS instead.

Although you should never encounter an app which uses all the files and folders shown below, this illustrates some of the more common possibilities. Even the massively complex Xcode doesn’t go this far.

basicAppStructureAdv

Additions include the following:

The embedded.provisionprofile file contains additional settings provided by the developer in a provisioning profile for macOS, and information about it is displayed in its QuickLook thumbnail.
The Frameworks folder contains a mixture of dylibs, dynamic libraries, and .framework bundles, which contain additional executable code which is used by the app. Apps which use Swift normally include a set of Swift dylibs, for example.
The Helpers folder can contain various helper executable files, used by the app when needed.
The Plugins folder contains bundles of app extensions, which the app relies upon to function.
The XPCServices folder can contain executable code for helpers, with which the app communicates using XPC protocols.

It’s usually the Library folder which is most complicated, containing:

The LaunchServices folder containing app helpers which are normally launched as a result of an added property list in the LaunchServices folder in a Library.
The LoginItems folder, which contains Login Items which macOS runs automatically when you log in, although these aren’t usually accessible in the list in the Users & Groups pane.
The QuickLook folder containing QuickLook generator code, to enable QuickLook thumbnails and previews of custom document types.
The Spotlight folder containing Spotlight MD Importer code, which enables Spotlight to index the contents of custom document types.
The SystemExtensions folder containing any System Extensions which the app relies on. These should now have replaced app kernel extensions or kexts, which used to be contained within an Extensions folder.

Helpers and similar code are used for several good reasons, the most common being when an app has to run code at elevated privileges. This is required to access many protected system features. One of the basic principles of app security is that only the minimum essential code should ever be run at elevated privileges, so running the whole app as root isn’t wise.

Instead, code needed to be run with root privileges is separated out into a helper app. When the main app needs to access those features, it does so via that helper. The standard way for an app and its helpers to communicate is using XPC. When correctly implemented, this enables the app to do sensitive things without putting your Mac at risk.

As a rule, you should never tamper with the contents of an app bundle. Changing any of its contents risks breaking its signature, which then results in macOS refusing to run that app. In the past, users have got away with gentle changes to non-executable items in the Resources folder, but even those can sometimes cause problems with app launching. If you really must make changes, do so with caution, and it’s often best done after stripping the app’s signature altogether. However, as M1 series Macs won’t run unsigned code, for them you must re-sign the app, which gets fiddly and is prone to error.

The days of customising window and other resources in apps are long since past.

6Comments

Add yours

1

Joss on December 13, 2021 at 10:01 am

I wonder where the *.app/Contents convention comes from, i.e. to have the actual bundle part of the app bundle one level deeper, and to have a root directory without any regular files. Seems kinda stupid at first glance, but I faintly remember reading somewhere that it was a NeXTSTEP convention. But why? Was there originally supposed to be more in the root directory next to the ./Contents subdirectory? Maybe a place for user-generated stuff? (It *can* house resource forks, individual “icon files” for the app icon etc., but those are not actually within that directory afaik… it’s just how macOS displays it.)

LikeLiked by 1 person
- 2
  
  hoakley on December 13, 2021 at 1:01 pm
  
  Thank you, Joss.
  I expect this bundle structure is inherited from NeXTSTEP, where there were probably good reasons for it. I’m not sure what your last parenthetical sentence refers to, though: app icons are stored in the Resources folder, and anything stored at the level of Contents isn’t visible in the bundle itself.
  Howard.
  
  LikeLike
  - 3
    
    Joss on December 13, 2021 at 1:35 pm
    
    When you manually change an app’s icon, usually via the Finder’s Info panel, a zero byte “Icon” file is written into the app’s root, and the icon’s graphical data is contained in the zerofile’s resource fork. Here’s an example where I changed SilentKnight’s icon: https://i.imgur.com/lFS0IAT.png … my hunch is that NeXTSTEP had some original plans for the root directory, which Apple might have planned to implement, which is why they kept the structure, but (at the latest) when code signing came around, they just let it be.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on December 13, 2021 at 3:12 pm
      
      Thank you.
      I’ve already explained this in detail here. The custom icon is outside the bundle by design, and I don’t think has anything to do with design intentions for bundles – it’s just a good way of getting the Finder to customise without interfering with the bundle contents.
      Howard.
      
      LikeLike
5

Christian on December 16, 2021 at 11:31 am

Hi Howard,
About codesigning, I’ve got an issue here in 10.14: when I try to install the Command Line Tools with xcode-select –install, it tries to connect to the server but ends with a warning saying (translated from French): “Impossible to install this software as it’s currently unavailable from the software updates server”
Could it be that Apple removed it?
Command Line Tools 8.2 that I have kept from 10.11 install and partially work, but some of them seem not working or absent.
Have you got any idea how I can DL a 10.14 compatible version? (without having installed a more recent macOS 😉 )
Thanks.

LikeLiked by 1 person
- 6
  
  hoakley on December 16, 2021 at 12:36 pm
  
  I’m sorry, I have no idea.
  Apple provides two ways of obtaining Xcode: the App Store, which certainly wouldn’t offer old versions, and through Downloads for a Developer account. The latter might offer older versions, but I’d be surprised if they went back that far.
  Howard.
  
  LikeLike

Share this:

Like this:

Related