How to get access to iOS Developer Certificate from code
Asked Answered
P

1

10

Is there a way to know with which certificate app was signed?

I want to protect app from resigning with another developer certificate.

Let's say we have client-server application. And server keeps that unique key, associated with Developer Certificate.

So with every request to server we will pass this key, and if app will be reassembled with another developer's certificate, then server will know this.

This is possible? Or may be there another way to protect from resigning?

Planarian answered 6/2, 2014 at 18:56 Comment(0)
R
3

You can know the certificate and provisioning profile used to sign the app by manually parsing out data in the embedded.mobileprovision file that is included in the app bundle. If you look through the file you'll see information about the certificate and provisioning profile.

Here's an example of how to get embedded profile data from within your app programmatically:

NSString* bundleDirectory = [[NSBundle mainBundle] bundlePath];
NSString* db = [NSString stringWithFormat:@"%@/embedded.mobileprovision", bundleDirectory];
NSData* data = [NSData dataWithContentsOfFile:db];
// parse through the data to get your provisioning profile info. I'd recommend opening up the profile that is inside your .app to see how it is structured.

HOWEVER:

I'm not sure why you'd need to do this since no one can re-sign your app unless they have the right certificate to match the provisioning profile made for your app's bundle ID.

The only way to get that is to have credentials to the apple developer account that owns the bundle ID OR if someone 'got access' to your certificate and provisioning profile.

If the latter occurred I believe you should revoke that provisioning profile from within the apple developer account and create a new one to work around the security breach. This way as long as you have access to the developer account you can always stomp on such a security breach that way, instead of writing code between client and server to check for it.

Rokach answered 6/2, 2014 at 20:0 Comment(3)
I've never used that but I'm not sure how that could make it past validation and submission through Apple to the store, assuming putting it on the store is the goal. I'd definitely be interested to know if that's possible, or if someone had an app hijacked from them in this way first hand.Rokach
I'm unable to find "embedded.mobileprovision". Does it work with development or only with distribution?Superphosphate
@Rokach Generally, It has to do with the Enterprise or Ad Hoc distribution.Poetics

© 2022 - 2024 — McMap. All rights reserved.