editing assest.car file to support inserting an icon for Appdome SecurePWA

Editing Assets.car file with no Apple tools

As part of the SecurePWA™ solution, Appdome offers the option to select an icon to represent the newly generated app. This blog describes how to do this by editing assets.car file.

Since Appdome receives the final binary products from its customers (.ipa and .apk files), when working on an internal project, we took the same approach. We created the application through standard building tools (XCode for this case), and only then changed the image in order to apply customization on the final .ipa  

Editing Assets.car file by inserting an Icon

For iOS, a problem occurs when trying to publish such an app on the Apple App store. Apple requires that the icon be inserted into a file called Assets.car – an undocumented internal binary file, written and maintained by Apple. 

There are several tools that enable you to create and maintain an Assets.car file – starting with the Apple tools such as XCode and actool and continuing with external open source tools such as carparser and ThemeEnginehowever all these tools have one thing in common – they all use internal iOS libraries and require running under a macOS machine. Since the Appdome’s fuse process happens on a hosted linux docker on AWS, a different solution had to be developed. 

As we set out to choose a language for parsing the Assets.car file, we had to take these things in consideration: 

  • A lot of our fusion code is written in Python, so we wanted to do as much as possible in Python 
  • The reference code we used is written in objective C, that’s much more easily converted to C/C++ than to Python 

So, the solution we wrote consists of both Python and C++: 

  • Parsing the Assets.car is done using C++ 
  • The C++ isn’t used as an application – instead we exposed libraries for the Python to use 
  • Using Python as a controller and for generating icons according to the resolutions required for the icons

Reverse Engineering the .car File Format

A lot of the format is analyzed and described in this excellent article Reverse engineering the .car file format (compiled Asset Catalogs)along with objective C code that’s the basis of the C++ code we wrote.

Two things we needed that aren’t described in this article: 

Knowing where every block starts and ends

All solutions found online use the macOS private libraries to get this information. 

We found that navigating inside the Assets.car file uses an offset-length formatFor example, in the beginning of every file, we’ll find the following values: 

This data is in 0x12AD10. In this case, it contains seven section names:

This data is in 0x12B5D0. It contains the sections in offset-length format:

Removing and adding pictures

There are many good industry-standard formats that can describe pictures, such as jpg, png or even bmp. Apple didn’t use either of them. To represent a picture, they take a bitmap with a modified widthcompress it and add a custom header. 

To replace an existing picture with another we need to perform the following steps: 

  1. Change the icon we’d like to use to the resolution required. For instance, from a 1024×1024 png to a 40×40 png 
  2. Change the canvas size to add a custom width to the png – for instance, to insert a 40×40 png we need to change it into a 48×40 png 
    • Width Sizes are rounded up to a multiple of 16 
    • This is a very strange step as it increases the size of the bmp for no apparent reason (that we can tell) 
  3. Translate the png to a 32-bit bitmap. Use the rarely used BGRA format 
  4. Truncate the bmp header. Use only the bmp data 
  5. Compress the bitmap received. We used lzfse format 
  6. Change the data inside the appropriate csi header to the new compressed data, along with the matching header 
  7. Update the matching offset-lengths for this record along with all dependent offsets 


Appdome’s SecurePWA solution now effectively creates an Assets.car file containing an icon of the customers’ choice, and delivers to our customers the ability upload the app to the app store without the need to use any of Apple’s development tools.

Side notes

As you may have noticed, during our research we had our objective in mind, therefore we focused only the areas that interested us. A full analysis of the Assets.car file can take weeks.

During the development of our solution, two iPhones were almost bricked by an app containing an (apparently) ill-formed Assets.car. These phones stopped working, and didn’t load even after we did a hard reset. Luckily, we managed to restore them using iTunes restore. So be careful when deploying half-baked solutions and be prepared for the worst.

Shlomi Agiv is an Appdome Researcher.

Have a Security Project?

We Can Help!

AnanyaMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.

Quick Links for This Blog

Want to learn more?

Build What You Love Automate What You Don’t

Drop us a line and keep in touch

Skip to content