I've a trouble finding it in documentation. So the thing is simple. I'd like to install the SSL certificate in order to communicate with the server. That's very typical if you browse the site and you have the warning about the certificate and you can accept it or not.
On the iPhone, while using safari it usually takes user to the settings with preloaded screen asking my to install the certificate.
The thing is I want to use the certificate to communicate with the server on production version. And there will be no browser, but typical table loading the rows from the XML/JSON etc. I don't want to tell the code to generally allow untrusted certificates. I just want to preinstall that one, either by user acceptance or without it if not necessary.
I know the workaround to simply mail the certificate as an attachment, but c'mon, I'm not going to display the screen about this during my application launch.
Thank you in advance
Chris
This should be done via Keychain Services, check documentation at developer.apple.com.
Have a look at the AdvancedURLConnections example from Apple as suggested in this answer.
If possible, I would avoid the hassle and just get a valid certificate signed by a trusted CA.
Related
The app I am currently working on requires the use of Configuration Profiles in order to connect to a server to download XML. The certificates are distributed in the form of .p12 files, and they can be installed in the settings app in the iPhone like the bottom-left image.
The problem is that all over the internet people are saying that this is impossible.
HOWEVER, Junos Pulse can do this(bottom-right image).
It is only reading the Configuration Profiles which is exactly what I need.
I did not have to install them into the Junos Pulse app. Adding them to the system, and launching the app is enough for my profiles to be recognized.
Thanks for your help :)
The reason the Junos app is able to do this has been explained in a post in the Apple Developer Forums.
Original Question: https://devforums.apple.com/message/660579#660579
Explanation about Junos app: https://devforums.apple.com/message/351326#351326
To sum it up, access to this is not provided in the SDK and is by invitation from Apple only.
You won't. Your application is sandboxed, read the iOS App Programming Guide. Developer profiles are not public information for applications to access.
I am not sure what you are trying to accomplish, but the iOS Keychain services allows you to store and retrieve certificates and keys in a (supposedly) secure way. I have not used the API for other than storing passwords, so I cannot say how it works with certificates, but according to the docs it might work for you.
In particular, have a look at the SecItemCopyMatching function.
We are developing an iPhone app, and we have one client who wants to use their own SSL certificate bundle. As far as I know this is not possible since the app can't access the device cert (assuming the client just install their own bundles on each of their device). Other option is to submit a whole different app just for them, but that's not a good solution and I am trying to avoid that.
Does anyone have experience with this sorts of problems? I tried to google around but could not find anything.
Any help or direction would be much appreciated!
Is there any way to distribute an unsigned app through emails or internet?
I.e. itms-services://?action=download-manifest&url=URL_TO_PLIST.
Moreover, it is a security issue if it is possible to install unsigned app on a jailbroken device?
Thank you.
I can't quite understand what you're trying to do here - if you're trying to install an app that is not on the App Store and also unsigned with the itms-services-protocol, you are out of luck, as that is strictly for iTunes and App Store-links.
The only way to distribute an app that is not on the App Store, is with the ipa-file, but that has to be signed as well (at least for unjailbroken devices).
You can do it in cydia with link like cydia://package/[package name]
However security is really a question here. Not sure if there any code review for the accepted packages.
Sorry if this is an extremely late response, but the question isn't closed yet, so I'm assuming you still need an answer. It is a security concern, but with a jailbreak, users are technically "opening" their device to such security threats, so I don't think that's much of a concern. If they jailbreak, they probably know what they're doing.
To answer the first part of your question, you can use ldid to pseudo-sign the app and then create an itms-services:// link that users tap to install. The only caveat to this option is that the iOS Device will contact oscp.apple.com & ax.init.itunes.apple.com to verify the app's signature. If you want to bypass this, you'll have to change the DNS settings of the iOS device using a mobile configuration file. Do this using Apple's iPhone Configuration Utility, which will generate a .mobileconfig with your specified settings. You won't have to generate a specific file for each device, so you can make one and you're done.
Anyways, back to the topic, jailbreaking doesn't remove the need for codesigning, it only removes the need for an app to be signed with Apple's certificate(s). itms-services:// is a bypass (for developers) of the same "need". Since Apple obviously doesn't want people who aren't developers just signing apps that aren't approved by Apple and installing them, they've implemented certificate checks. The signing-certificate is cross-checked with Apple's two servers. One of the servers (I don't know which) checks for "iPhone Developer:" in the name of the certificate. The other checks that it was signed by Apple's WWDRCA Certificate. If the iOS Device gets a response from either of the servers signifying that the app is "bad". If the iOS Device doesn't get a response, it will still install the app.
The way to go with this in order to bypass would be to clone a DNS server, and create a specific entry that will change the IP of these two servers to something (anything) else. That way, the Device will not get a response, and will install the application.
modify the file SDKSettings.plist : make code sign required value is NO
when build, selected project (not target) -- build setting -- code signning identity: Dont code sign
build, get the .ipa file can run on the jailbreak device
I am developing an application that will use a personal client certificate to verify the user's identity. The user will be issued the certificate from their company/organization, and will then have to install it on the phone somehow.
So my question is this: is it better for them to install it in the phone's built in storage, and the app would pull this cert from the OS, OR have the user add the cert to the application's doc folder via iTunes and load it from there?
The advantage of the cert being in the doc folder is that it's easy to locate an load into the app, but I'm not sure if that is considered "best practice."
Is there anyone out there who has actually done client certificates who can offer their input on the matter?
Through my research I have discovered that Apple does not support client certificates/PKI at this time. However if someone finds a work around, or if Apple adds this feature, please post your information here.
I have two requirements as follows.
I have a requirement in my iPhone App that the SSL certificate details of the https enabled webpage should be read and stored into my app. This could be done in background process or at the time of loading the webpage in UIWebView controller. Is it possible? If so, can you please provide the Objective-C code to get the details.
Is it possible to verify the Extended Validation(EV) certificate of a https enabled webpage? If so, please provide the Objective-C code for this.
Many thanks in advance.
Mahesh
Sadly, the answer to 1 is that you cannot do it. There is no way to provision a SSL certificate to any keychain access list (other than the Apple one) other than including it in the bundle. See my related question:
Finding a certificate on iOS