When you download an app from the App Store, Apple injects a special 4196 byte long header into the signed binary encrypted with the public key associated with your iTunes account. This public/private key pair is generated when you create your iTunes Account, and transferred to your iOS device when you log in with your iTunes account or Apple ID. This is part of Apple's FairPlay DRM. At install time, your iOS device tries to decrypt the header with your key, which will succeed if the app was downloaded from the App Store with matching credentials.

How do tools like AppSync bypass the check?

Many older versions of AppSync are based on the original tool PPSync, a patch made by the notorious Chinese iOS piracy website 25pp which modifies installd's launch daemon plist file to interpose its signature checking routines. This is unsafe and creates an unstable runtime. Newer tools such as AppSync Unified utilize the dynamic hooking function MSHookFunction() in Cydia Substrate to bypass installd's signature checks. This means AppSync Unified does not modify any system files and is much more stable and safe as a result.

Why can you only remove the DRM from an iOS app on an actual device?

Tools such as Crackulous are just a frontend on top of Clutch, a DRM-removal tool. An additional signature check is performed at runtime to ensure the application is provisioned to run on your iOS device. Clutch hooks into the device runtime to dump the application from memory and into an unsigned binary.

Sources:

Copy Protection Overview - The iPhone Wiki

AppSync Unified on GitHub

Clutch on GitHub