an application is actually a directory, albeit one with a well-de!ned structure. In Apple parlance, we refer to this directory as an application bundle
You can view the contents of an application bundle (such as the malware WindTail) in Finder by CTRL-clicking an application’s icon and selecting Show Package Contents
Can be analysed statically in depth using Apparency
Standard application bundles include the following !les and subdirectories:
- Contents/: A directory that contains all !les and subdirectories of the application bundle.
- Contents/CodeSignature: If the application is signed, contains code-signing information about the application (like hashes).
- Contents/MacOS: A directory that contains the application’s binary, which is what executes when the user double-clicks the application icon in the user interface.
- Contents/Resources: A directory that contains user interface elements of the application, such as images, documents, and nib/xib !les that describe various user interfaces.
- Contents/Info.plist: The application’s main con!guration !le. Apple notes that macOS uses this !le to ascertain pertinent information about the application (such as the location of the application’s main binary).
Though it’s unusual, if an Info.plist !le is not found in the bundle, the operating system will assume that the application’s executable will be found in the Contents/MacOS directory with a name that matches the application bundle. For a comprehensive discussion of application bundles, see Apple’s authoritative developer documentation on the matter: “Bundles”