Embed Size (px)
Citation preview
iOS Provisioning Profiles and Signing Certificates
Andre Asselin
2
Provisioning profiles, signing certificates, etc.All about iOS security
iOS security has two parts① Authentication
• Ensure an app is really the app it claims to be• Ability to identify which app is attempting to perform an
operation② Authorization
• Ensure only authorized apps can be installed/run on a device
• Ensure a particular app can perform only the operations it’s allowed to do
The big picture
3
Some Terms We’re Going to Use
Bundle ID Uniquely identifies an appApplication Service Something the app can do, such as in-app purchases or push
notificationsApp ID Associates 1 or more bundle IDs with application services under a
nameSigning certificate / Signing identity
A public-private key pair that identifies who signed an app, and verifies that the app hasn't been modified since it was signed
Device ID Uniquely identifies a deviceProvisioning profile Associates 1 app ID, 1 or more certificates, and 0 or more devices
under a nameTeam The people who have been added to a particular Apple Developer
Account
4
How These All Relate (UML)
Bundle ID and App ID: Identifying an App
6
Bundle ID
•A bundle ID uniquely identifies an app•Syntax
• Can contain only alphanumeric characters (A-Z, a-z, 0-9), hyphen (-), and period (.)
• Is case sensitive• Example: com.pointsource.example
•Entered into the Xcode project file for an iOS app
7
App ID
• An app ID associates 1 or more bundle IDs with application services
• The association is given a name• Created and maintained on the
Apple developer site
8
Examples of Application Services
9
Explicit and Wildcard App IDs
There are two types of App IDs
①Explicit App IDMatches a single specific bundle ID. Example: com.pointsource.example
②Wildcard App IDCan match multiple bundle IDs. Example: com.pointsource*
10
Why Not Always Use a Wildcard App ID?
• Some Application Services can not be associated with a Wildcard App ID, such as Push Notifications, Apple Pay, and In-app purchase
• You can not distribute an Enterprise App using a Wildcard App ID
• An Enterprise app (aka In-house or UniversalDistribution) is one created using the Apple Developer Enterprise Program that is usually distributed for use inside a company (see In House Provisioning Profile).
• Note: You can distribute an app via the App Store using a Wildcard App ID
11
Summarizing
• Explicit App ID is a kind of App ID• Wildcard App ID is a kind of App ID• App IDs have 0 or more Application Services associated with them
12
Further Notes
An Explicit App ID can not be deleted for an app that has been uploaded to iTunes Connect
Signing Certificates: Proving an App’s Identity
(Part 1)
14
Signing Certificates
Signing Certificates (also known as Signing Identity)
• Prove who signed an app• Verifies that an app wasn’t
tampered with after it was signed
15
Two Ways to Create a Signing Certificate
• You can use Xcode to create (or fix) a Signing Certificate in Preferences / Accounts
• You can create a Signing Certificate through the Member Center website
• First create a certificate signing request using Keychain access / Certificate
assistant / Request a Certificate from a Certificate Authority…
• Upload the signing request file
• Download the newly generated certificate
16
Creating a Signing Certificate via Xcode
17
Creating a Signing Certificate via Keychain Access
Device ID:Identifying a Device
19
UDID
• Every iOS device has an ID that uniquely identifies it• UDID (Unique Device Identifier)
• You can add up to 100 devices per type to an Apple developer account per year• The types are: Apple TV, Apple Watch, iPad, iPhone, iPod Touch
• UDIDs are managed through Member Center• During the year your account is active, any devices that are removed will still use one of
the 100 slots• When you renew your account, the slots for removed devices will be freed up, and you
can replace them with different devices• (Jumping ahead) Devices can be added to a development or ad-hoc Provisioning Profile
to allow an app built with that Provisioning Profile to be installed/run on those devices
20
Retrieving UDID via iTunes
21
Retrieving UDID via iTunes
App Distribution and Provisioning Profiles
23
App Distribution
• Apple controls which apps are allowed to be installed on an iOS device by using the information from a Provisioning Profile that is embedded in the app
• Provisioning Profiles ensure• Only apps authorized for a particular iOS device can be installed/run on
that device• A debugger can’t be attached to apps built in release mode
24
App Distribution Use Cases
The world
25
App Distribution Use Cases
The world
Development Profile
Ad-Hoc Profile In-House Profile
App Store Profile
26
How Provisioning Profiles Relate to Apple Developer Accounts
• Two types of Apple Developer accounts• Apple Developer Program• Apple Developer Enterprise Program
• The difference between them is which types of Provisioning Profiles are allowed on each
27
Provisioning Profiles Allowed on Apple Accounts
Apple Developer Program
Apple DeveloperEnterprise Program
Development ✓ ✓Ad-hoc ✓ ✓App Store ✓ ✕In-house ✕ ✓
28
Provisioning Profiles
• A Provisioning Profile associates• Exactly 1 App ID• 1 or more Signing Certificates• 0 or more Device IDs (UDIDs)
• Provisioning Profiles are created and maintained on Member Center• The association is given a friendly name, but is uniquely identified by a
UUID• You can have multiple provisioning profiles with the same name and
different UUIDs (although this will be confusing)
29
Relationship Between Provisioning Profile Types
30
Development Provisioning Profile
• Used to allow a developer to install an app on a device during development
• Allows debugging the app
• Contains 1 or more Development Signing Certificates and 1 or more device IDs (UDIDs)
31
Team Provisioning Profile
• A Team Provisioning Profile is a kind of development Provisioning Profile.• Xcode’s attempt to make Provisioning Profiles user friendly during
development• Allows any app developed by a team to be signed by any team member and
installed on any team device• Examples: "iOS Team Provisioning Profile:*", "iOS Team Provisioning
Profile:com.pointsource.example"• Xcode updates the team Provisioning Profile whenever you register a device,
create a development Signing Certificate, or modify the Bundle ID through Xcode• Changes made using Member Center don't automatically update team
Provisioning Profiles• To select the Team Provisioning Profile in Xcode, select "Automatic" for the
Provisioning Profile under Code Signing
32
Team Provisioning Profile (2)
• Contains:• A wildcard App ID that matches all your team's apps or an explicit App ID
that matches a single app.• All devices associated with the team.• All development Signing Certificate associated with the team.
• Wildcard vs explicit App ID• If your app can use a wildcard App ID during development, Xcode creates a
team Provisioning Profile containing a wildcard App ID• If you add an Application Service that requires an explicit App ID, Xcode
creates an explicit App ID and a corresponding team Provisioning Profile• You are not allowed to edit a team Provisioning Profile on Member Center
33
Distribution Provisioning Profile
• Debugging is disabled
• Has exactly 1 Distribution Signing Certificate
• Three types of Distribution Provisioning Profiles: App Store, Ad hoc, In House
34
App Store Provisioning Profile
• Allows distributing an app to an unlimited number of devices through the App Store
• Has no device IDs (UDIDs) associated with it
• Available only in the Apple Developer Program (vs Apple Developer Enterprise Program)
35
In House Provisioning Profile
• Allows distributing an app to an unlimited number of devices outside of the App Store. For example: distributed on an internal company website.
• Also known as iOS Universal Distribution in Member Center
• Has no device IDs (UDIDs) associated with it
• Available only in the Apple Developer Enterprise Program (vs Apple Developer Program)
36
In House Provisioning Profile (2)
Note: Apps distributed with an in house Provisioning Profile will not run until the user clicks to trust the developer.
• An error message will display saying the developer is not trusted
• On iOS 9, to trust the app, go to Settings / General / Profile / <Company Name>, and select "Trust <Company Name>"
37
Ad Hoc Provisioning Profile
• Allows your app to be installed on designated devices• Example use case: distribution to QA for testing
• Contains 1 or more device IDs (UDIDs)• Can be distributed and installed though iTunes, the X Code
organizer or though the web
38
Ad Hoc Provisioning Profile (2)
Note: Like the In-House Provisioning Profile, apps distributed using an ad hoc Provisioning Profile created on an Apple Developer Enterprise Program account (vs Apple Developer Program) will not run until the user clicks to trust the developer.
• An error message will display saying the developer is not trusted
• On iOS 9, to trust the app, go to Settings / General / Profile / <Company Name>, and select "Trust <Company Name>"
39
Expiration and Invalidation
• Provisioning profiles expire after one year• Provisioning profiles become invalid on Member Center if
• Its App ID is deleted• It contains a Signing Certificate that has been revoked• It contains a device ID (UDID) that has been disabled
40
Provisioning Profiles are Copied and Cached
Copied to Embedded in
41
Regeneration
• Because Provisioning Profiles are copied and cached, when a Provisioning Profile is invalidated on Member Center, it does not affect anybody who previously downloaded it to their Mac, nor any apps already built with it
• For example: You may still run your app on a disabled device if an app is built with an older version of the Provisioning Profile that still contains that device’s UDID
• When a Provisioning Profile is regenerated, it generates a whole new profile, with a new UUID
• The old Provisioning Profile is unaffected and can still be used, unless it’s expired
• Xcode will only automatically regenerate team Provisioning Profiles. It will not automatically regenerate distribution Provisioning Profiles or custom development Provisioning Profiles.
42
Further Notes
• Stored in Member Center and cached locally in "~/Library/MobileDevice/Provisioning\ Profiles”
• Filename in "~/Library/MobileDevice/Provisioning\ Profiles" will be <UUID>.mobileprovision.
Signing Certificates(Part 2)
44
Two Types of Signing Certificates
45
Development Signing Certificate
• Used in a development Provisioning Profile• Allows debugging apps• Identifies a person on your team• Can be created by a team member• Limit of 1 iOS development Signing Certificate per team member• Contains the person's name. Example: iPhone Developer:
Wendy Jones
46
Distribution Signing Certificate
• Also known as Production Certificate (on Member Center)• Used in a Distribution Provisioning Profile (Ad hoc, In House, and App Store)• Identifies the team
• Owned by the team— shared by multiple team members who have permission to distribute apps
• Contains the team name. Example: iPhone Distribution: PointSource, LLC• Can only be created by a team agent or admin• Limit of 2 distribution Signing Certificates active at the same time; each is
independent from the other• The second certificate is intended to provide an overlapping period during
which you can update your apps before the first certificate expires
47
Expiration
• Apple Developer Program Signing Certificates expire after 1 year
• Apple Developer Enterprise Program Signing Certificates expire after 3 years
48
Revoking
• If you revoke a Signing Certificate, any Provisioning Profile that contains that certificate becomes invalid
• Revoking a distribution Signing Certificate doesn’t affect your development Signing Certificates or development Provisioning Profiles
• Similarly, revoking a development Signing Certificate doesn't affect your distribution Signing Certificates or distribution Provisioning Profiles
• Revoking a Signing Certificate doesn't affect apps that you've submitted to the App store nor does it affect your ability to update them
• This is because Apple re-signs apps before distributing to customers
49
Regeneration is Not Allowed
• Signing Certificates can not be recreated / regenerated. If a certificate expires or is revoked, a new one must be created.
• If Xcode detects an issue with a Signing Certificate, it displays an appropriate action in Accounts preferences.
• If Xcode displays a Create button, the Signing Certificate doesn't exist in
Member Center or on your Mac.
• If Xcode displays a Reset button, the Signing Certificate is not usable on
your Mac—for example, it is missing the private key. If you click the Reset
button, Xcode revokes and re-creates the corresponding certificate.
50
Aside: Using PKI for Signatures
Key Generation Signing and Verification
51
The Private Key Only Exists on the Mac that Created the Key
Key and certificate creation
52
What You’ll see in Keychain Access
Certificate only– no
private key
Certificate and private
key
53
You can move your Signing Certificates (including the private keys) from one Mac to another and back them up by exporting a Developer Profile (not to be confused with a Development Provisioning Profile) from the Accounts tab in Xcode's preferences.
Setting Up a New Mac
54
Note that resources such as images and nib files aren't signed; therefore, a change to these files doesn't invalidate the signature
Further Notes
