Client Certificate on iOS: Best Practices - iphone

I am developing an application that will use a personal client certificate to verify the user's identity. The user will be issued the certificate from their company/organization, and will then have to install it on the phone somehow.
So my question is this: is it better for them to install it in the phone's built in storage, and the app would pull this cert from the OS, OR have the user add the cert to the application's doc folder via iTunes and load it from there?
The advantage of the cert being in the doc folder is that it's easy to locate an load into the app, but I'm not sure if that is considered "best practice."
Is there anyone out there who has actually done client certificates who can offer their input on the matter?

Through my research I have discovered that Apple does not support client certificates/PKI at this time. However if someone finds a work around, or if Apple adds this feature, please post your information here.

Related

Is there certificate storage or something like Keychain on Windows Phone 8?

Is there some documentation about how certificates are stored on WP8? (Is there special storage for them like on Android, or are they managed differently?) I cannot find any documentation regarding certificates. I am new to WP8 development and have stucked on this question.
If not certificate storage maybe there is something similar to iOS Keychain that saves information and inside Keychain access group other applications can access it?
Read that there is possibility to encrypt/ decrypt data, but as I understand I can only decrypt them from one application, but I would need to access them also from other applications.
Based on: http://msdn.microsoft.com/en-US/library/windowsphone/develop/ff402533(v=vs.105).aspx and
http://msdn.microsoft.com/en-US/library/windowsphone/develop/hh487164(v=vs.105).aspx
My target is to securely manage data (passwords, certificates) using multiple applications. (Multiple applications can access same passwords etc.)
3rd party WP8 apps do not have a way to constantly share data with other 3rd party apps. There's no shared DB, Cookie container or read-write file storage that's shared between apps. If that's a feature you'd like to see in future releases feel free to say so on the WP8 uservoice.
On the question of certificates it is possible to install custom certificates on WP8 from file storage, email or apps. I've written up an example on how to install custom certificates on WP8 at a related question # TLS connection: override certificate validation

iOS get Configuration Profiles that are installed

The app I am currently working on requires the use of Configuration Profiles in order to connect to a server to download XML. The certificates are distributed in the form of .p12 files, and they can be installed in the settings app in the iPhone like the bottom-left image.
The problem is that all over the internet people are saying that this is impossible.
HOWEVER, Junos Pulse can do this(bottom-right image).
It is only reading the Configuration Profiles which is exactly what I need.
I did not have to install them into the Junos Pulse app. Adding them to the system, and launching the app is enough for my profiles to be recognized.
Thanks for your help :)
The reason the Junos app is able to do this has been explained in a post in the Apple Developer Forums.
Original Question: https://devforums.apple.com/message/660579#660579
Explanation about Junos app: https://devforums.apple.com/message/351326#351326
To sum it up, access to this is not provided in the SDK and is by invitation from Apple only.
You won't. Your application is sandboxed, read the iOS App Programming Guide. Developer profiles are not public information for applications to access.
I am not sure what you are trying to accomplish, but the iOS Keychain services allows you to store and retrieve certificates and keys in a (supposedly) secure way. I have not used the API for other than storing passwords, so I cannot say how it works with certificates, but according to the docs it might work for you.
In particular, have a look at the SecItemCopyMatching function.

Distribute unsigned app iPhone

Is there any way to distribute an unsigned app through emails or internet?
I.e. itms-services://?action=download-manifest&url=URL_TO_PLIST.
Moreover, it is a security issue if it is possible to install unsigned app on a jailbroken device?
Thank you.
I can't quite understand what you're trying to do here - if you're trying to install an app that is not on the App Store and also unsigned with the itms-services-protocol, you are out of luck, as that is strictly for iTunes and App Store-links.
The only way to distribute an app that is not on the App Store, is with the ipa-file, but that has to be signed as well (at least for unjailbroken devices).
You can do it in cydia with link like cydia://package/[package name]
However security is really a question here. Not sure if there any code review for the accepted packages.
Sorry if this is an extremely late response, but the question isn't closed yet, so I'm assuming you still need an answer. It is a security concern, but with a jailbreak, users are technically "opening" their device to such security threats, so I don't think that's much of a concern. If they jailbreak, they probably know what they're doing.
To answer the first part of your question, you can use ldid to pseudo-sign the app and then create an itms-services:// link that users tap to install. The only caveat to this option is that the iOS Device will contact oscp.apple.com & ax.init.itunes.apple.com to verify the app's signature. If you want to bypass this, you'll have to change the DNS settings of the iOS device using a mobile configuration file. Do this using Apple's iPhone Configuration Utility, which will generate a .mobileconfig with your specified settings. You won't have to generate a specific file for each device, so you can make one and you're done.
Anyways, back to the topic, jailbreaking doesn't remove the need for codesigning, it only removes the need for an app to be signed with Apple's certificate(s). itms-services:// is a bypass (for developers) of the same "need". Since Apple obviously doesn't want people who aren't developers just signing apps that aren't approved by Apple and installing them, they've implemented certificate checks. The signing-certificate is cross-checked with Apple's two servers. One of the servers (I don't know which) checks for "iPhone Developer:" in the name of the certificate. The other checks that it was signed by Apple's WWDRCA Certificate. If the iOS Device gets a response from either of the servers signifying that the app is "bad". If the iOS Device doesn't get a response, it will still install the app.
The way to go with this in order to bypass would be to clone a DNS server, and create a specific entry that will change the IP of these two servers to something (anything) else. That way, the Device will not get a response, and will install the application.
modify the file SDKSettings.plist : make code sign required value is NO
when build, selected project (not target) -- build setting -- code signning identity: Dont code sign
build, get the .ipa file can run on the jailbreak device

Install SSL Certificate straight from the App

I've a trouble finding it in documentation. So the thing is simple. I'd like to install the SSL certificate in order to communicate with the server. That's very typical if you browse the site and you have the warning about the certificate and you can accept it or not.
On the iPhone, while using safari it usually takes user to the settings with preloaded screen asking my to install the certificate.
The thing is I want to use the certificate to communicate with the server on production version. And there will be no browser, but typical table loading the rows from the XML/JSON etc. I don't want to tell the code to generally allow untrusted certificates. I just want to preinstall that one, either by user acceptance or without it if not necessary.
I know the workaround to simply mail the certificate as an attachment, but c'mon, I'm not going to display the screen about this during my application launch.
Thank you in advance
Chris
This should be done via Keychain Services, check documentation at developer.apple.com.
Have a look at the AdvancedURLConnections example from Apple as suggested in this answer.
If possible, I would avoid the hassle and just get a valid certificate signed by a trusted CA.

iPhone:Can one mac be used for two business purpose?

I have a small doubt, so apologies first.
I am creating an iPhone application using my Macbook. I want to upload it into AppStore after some days by creating a developer certificate and use provisioning profile. My friend wants to create his own iPhone application and wants to upload to AppStore for him personally, but he wants to use my same Macbook, but he may create his own dev certificate etc. I hope this is possible. Can we both use a same Macbook to develop different business(myself and my friend's) applications? I'm just curious to ask this doubt.
One more question,
Can we submit an iPhone application into AppStore without having own website page? Is it mandatory to have my own web site page for uploading an application into AppStore?
As long as all of the right pieces are installed, you could definitely share one Mac. You'd need all of the appropriate provisioning profiles installed in XCode, and the private keys / signing certificates used to generate them installed in the Keychain.
Going with separate user accounts might be a good idea, if just so that neither of you gets confused and accidentally builds their app with the other person's profile. But there shouldn't be any technical reason why you couldn't do this with a single user.
You would both need to have different users but apart from that, I can't see a problem.
As far as I know, the certificates and public private keys are per user.
As for the second question, I have no idea, sorry!
For first question:
Sure, it is possible! Its all a matter of creating different Certificate and Provisioning and When you build the project making sure you use the correct certificate to Code Sign!
Second Question:
You don't need a website of your own. I've come across many developers who uses their Blogspot address!
But if you are serious and look serious, get a domain and a simple site :)
Cheers