In over-the-air distribution of an enterprise iPhone app, the iPhone securely downloads an XML manifest file containing a fully-qualified URL pointing to the .ipa file (the app itself) then downloads the app from there and installs it.
I am wondering whether there is a security flaw here. Assuming the iPhones are outside the firewall on the public Internet, and in the absence of a VPN, wouldn't the .ipa file have to be publicly-readable over HTTP, i.e. anyone could grab it and install using iTunes if they knew the URL?
The Apple reference is http://help.apple.com/iosdeployment-apps/#app43ad871e (enterprise developers only I think).
Probably I'm missing something and it's safe?
Thanks
Bill.
In order to use OTA iPhone app, the person who is attempting to download the app must install the proper certificate.
Enterprise Apps are limited to 1000 OTA installs, which Apple can track on their end.
For non enterprise developer accounts, you have a 100 device limit, which first have to get the device UDID up to the provisioning portal, before they can install the proper certificate to run the app.
So while you can free distribute the ipa (over HTTP or FTP or whatevs) they'll still need the proper valid certificate, and that is controlled.
Of course there are probably ways around this, but in general that's how Apple protects OTA installs.
If you are distributing the .ipa file for your Enterprise profile, that app can be installed on any device. You would see a subtle warning at the bottom of the provisioning page that says something like,
This profile can be installed on any application.
I've tested it, and it does indeed work.
Yes the .ipa is on the open internet.
You can password protect ( .htpasspw ) the page so anyone knowing the url needs to enter a user/password combo to enter the page and to download the ipa.
Related
Is it possible to:
Download the IPA of the an app store iOS app (e.g. The Facebook app)
Change an asset in the bundle. (e.g. swap out an image image)
Resign the bundle with an ad hoc profile. (It will need to be a wildcard profile)
Install the app on a development device. (e.g. using the iPhone configuration utility)
The reason being, I though up a theoretical vulnerability with SSL pinning and I want to know if it would be possible in practice.
I am fairly sure 1, 2 and 3 would work, but I am not sure iOS would allow it to be installed or not (step 4).
Theoretically that should be possible. The IPA is just a ZIP file, rename it and extract, then you can modify it to your hearts content. Then resign it using codesign, and you should be rockin.
I'm a bit confused what vulnerability you are exploiting; you specified that you're signing it with a development profile and installing it on a development device. You aren't really breaking any of the sandbox security by doing this. If you were able to modify the IPA contents and get it to run without resigning it, now that would be an exploit.
I'm developing an iOS application (I have macbook) and I have an apple developer's account.
How can I deliver iPhone app to tester that hasn't got a mac?
Tester's phone is not jailbroken (I can't build deb)
I recommend using the Test Flight service. It allows you to upload builds of your application and distribute then to testers via their website.
They have a great help section to get you started.
EDIT: Oh, and it's free for the basic service.
I hope that helps. Good luck.
They can run itunes on a windows machine too. But if they don't have a computer at all there is another option. You can distribute it via a link.
Its really easy. Prepare to do an adhoc distribution as usual and then click the "Enterprise Distribution" tick box.
Then add the URL to where the final .ipa will be. I usualyl fill in the app name on the second line as well but never fill the rest in.
e.g
http://www.yourdomain.com/YourApp/YourApp.ipa
Then upload the created .plist and .ipa to the relevant URL so that the 2 files are available as:
http://www.yourdomain.com/YourApp/YourApp.ipa
http://www.yourdomain.com/YourApp/YourApp.plist
Now finally create a simple HTML page and upload it to your site.
<http>
<body>
<c><font size="20">Click here to install YourApp</font></c>
</body>
</http>
Now send them a link to the above HTML page and they are good to install.
Be warned: You must have the tester's UDID in the adhoc distribution profile certificate or this will not work.
Follow these steps:
Include the users' udids into your adhoc distribution profile
certificate (same step as in Goz's answer).
In Xcode, use the Archive function and sign the code with the adhoc profile
certificate.
In Organizer, create the .ipa file for distribution.
Send the .ipa file to your users (i.e. via email).
Ask them to drag and drop the .ipa file into Applications section of iTunes for Windows and synchronize their devices.
You must have Mac OS and Mac machine to develop them. You will need XCode installed on Mac OSX to code, run and test your application.
If you do not want to buy Mac you can install Mac OSX on PC referring this link thats called Hackintosh. This works fine on PC if you follow steps properly:
http://tonymacx86.blogspot.in/2011/07/xmove-multibeast-install-os-x-107-lion.html
If that's not a possible, you may consider inviting the person over physically or to do it virtually via ex. Teamviewer or any other remote desktop protocol.
The most convenient and time saving approach that I have used so far is Test Flight. The integration is seamlessly easy. You can share files with testers and it does not require you to have a system.
The main steps are
1)Download and integrate Testflight SDK after creating a valid account (Login required).
2) Integrate the SDK with iPhone application (Though it isn't mandatory if you only wish to distribute the application and not track its usage and reporting purpose).
3) Create you team and upload build on Portal.
4) Subsequently allow testers to have access to the permitted devices mentioned in provisioning profile.
You can manage Multiple teams and applications at a single place. Hope it helps.
I have an iPhone app that I'm distributing to testers. I followed these instructions:
https://developer.apple.com/library/ios/#documentation/ToolsLanguages/Conceptual/YourFirstAppStoreSubmission/TestYourApponManyDevicesandiOSVersions/TestYourApponManyDevicesandiOSVersions.html
And they work except for one of my testers, who does not use iTunes to synchronize his apps. He has many apps already on his phone and doesn't want to synch to iTunes because it sounds like it will delete them. So...Is there any other way to get a testing app onto an iPhone besides synchronizing with iTunes?
Simply distribute it using OTA ("Over The Air" distribution).
When you Archive your application using Xcode (menu Product -> Archive, I hope that's what you do already to keep debugging symbols so that you can symbolicate crash logs when testers send some back to you!), once you click on "Distribute", select the "OTA Distribution" option and follow the steps.
Don't forget to check the "Distribute for Enterprise" checkbox in the appropriate step and fill the requested informations (Product Name, URL of the IPA when you will upload it on your server, etc).
Once your .ipa and the associated .plist is created, upload them both on a web server, and make a link to "itms-services://?action=download-manifest&url=<the_url_to_your_plist_file_here>".
When the users will open this link from their iPhone, it will prompt to install the application on their device directly, without the need to plug their device to any computer.
There are many tutorials on the net about this, simply google about iPhone OTA distribution.
I strongly recommend TestFlight. It's free and it's easy and they manage all that server side work.
Since your user is afraid of the iTunes Sync Process (for good reason), why not recommending him to use the iPhone Configuration Ultility.
That tool does not do a complete sync but only transmits the app you specified to.
It is free, easy to use and very reliable. Well, sometimes it has its hickups on Windoze systems but that seems to be a normal experience for users of that OS.
I have seen that few web sites , give an ipa and that ipa install to any iPhone device .. how it is possible Is there any way that my ipa could install to any iPhone device . without app store ?
http://www.codeproject.com/KB/iPhone/abPlayer_iPhone/abPlayer_ipa.zip
How it is possible? Any help ?
it is distributed publicly ?
You can use over the air distribution for your app by uploading it to a website and accessing it via a specially crafted URL, similar to itms://path/to/manifest.xml. An example manifest file can be found here.
Note though, that using this method without an enterprise distribution profile, you will still need to provision the devices that you expect to run the app on. You are limited to 100 devices on a normal developer account.
You can apply for an Enterprise account, if you need to distribute to more than 100 devices and you will not need to explicitly provision those devices. However, the terms of the Enterprise agreement state that it is to be used for in-house distribution only, not to the general public. If Apple find out that you are just using the enterprise distribution to get around the App Store, they will close the account. They may not even give you one in the first place, if you cannot prove that you will only use it for in-house distribution/testing.
Yes you can upload your ipa on testflightapp.com. they will provide you the link for download
For that you need to register with apple for Enterprise account, once you register, you can distribute the application without app store, with the distribution certificate.
I made an app with xcode, and now I want to share it with a few others. The problem is I live in different provinces as them and they do not have a mac. I would rather not go through the app store and I don't mind getting the enterprise developer account if it is necessary. Does anyone know how I can go about doing so?
What you need is Ad Hoc distribution. You could also use a tool as Testflight, and let your other users download your app over the air.
Use testflight or other over the air installation tools. You'll need a valid Ad-Hoc Certificate that includes the devices it's going to be installed on. Check this for more infos on the topic!
Finally, you can just send them an .ipa if you don't have a server (you can get that from XCode) and they can drag it into iTunes to install the application. It will sync the next time they sync their devices to their computer
Just Extract you ipa.
In PC/Windows, Drag ipa to iTunes.
Synchronize iTunes with device.