ios provisioning : running your app in an ios device

36

Upload: madusha-perera

Post on 18-Jul-2015

131 views

Category:

Software


4 download

TRANSCRIPT

Developer Certificates, Provisioning profiles and what the heck !

Created by Madusha

To do List !

1. Generating and installing A developer certificate

2. Creating AN App ID for your app/s

3. Creating A Provisioning Profile for your app

4. Registering the devices you want the app to be

tested on

Why apple made this a mission impossible task!

• Apple guarantees to the the apple device

(iPhone/iPad,…) owner that any app he runs on the

device is created by an authorized (trusted) apple

developer.

(hopefully the device must not have jail broken)

How Apple ensures the trust

Developer Certificate

Authenticity Integrity

Non-Repudiation

TRUST

• Authenticity

Ensures whether you are a real authorized

Apple developer (are you sure you paid $99)

• Integrity

Has the code being modified on the way

to the device by some one else

• Non-Repudiation

Developer must be responsible of what he has

sent (dev can’t say “hey I didn’t do that”)

We need to know PKI

Analogy for digital Certificate

Name of the owner

Name of the issuer

Seal of the issuerDate issued

University of Queensland

Russell Employer

trustsIssues a certificate

Employer trusts Russell

12

3

What does a digital certificate has

X.509 standard

public key

digital signature

? #$#^$^%*%

Hi Handsome

Cleopatra’s private key = 2

Cleopatra’s public key = 25

public key = |Σ| - private key,where public key , private key < |Σ|

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z1 2 3 4 5 6 7 8 9 1

011

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

Hi handsome = 8 9 27 8 1 14 4 19 15 13 5

encrypt with private key = 2

10 11 2 10 3 16 6 21 17 15 7

Encryption/Dycription formula:output = (charValue + private key ) % |Σ|

= (charValue + 2) % 27

10 11 2 10 3 16 6 21 17 15 7

decrypt using public key = 25

Encryption/Dycription formula:output = (charValue + public key ) % |Σ|

= (charValue + 25) % 27

8 9 27 8 1 14 4 19 15 13 5 = Hi handsome

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z1 2 3 4 5 6 7 8 9 1

011

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

What does a CSR hasPKCS #10 spec

Information Description

Distinguished Name (DN) www.commercialbk.com (fully qualified domain name)

Business/Organization Name Commercial Bank

Department Name IT

Town/City Colombo

Province/State Western

Country LK

Email address ######

Public Key ######

FEE+

Public key

Signature

Senders Digital Certificate

Certificate

Org : Commercial BankIssuer : ComodoPublic Key : ###

hash (sha1)digest

encrypt using Comodo’sprivate key

signature

Certificate

Org : Commercial BankIssuer : ComodoPublic Key : ###

attach the signatureto the certificate

How receiver(browser) authenticates the web site

Certificate

Org : Commercial BankIssuer : ComodoPublic Key : ###

decrypt using Comodo’spublic key

CA Certificate

Org : ComodoIssuer : ComodoPublic Key : #####

hash (sha1)

digest digest

Equal?

yestrust www.commercialbk.com site

Lets create a Dev cert for our selves

code signing identity(public key + private key)

Code Sign

Executable file

encrypt with developer’s private key

hashdigest

App Bundle

.app

• executable file• provisioning profile• info.plist• icons … etc.

Where the hell is App Bundle?

• This is the <AppName>.app inside your .ipa

• You can view package contents by right clicking .app

Lets check whether the code is really signed

codesign --display --verbose=4 /path/to/appBundle/exeFile

Machan,codesign is the utility which Xcode uses to

sign your code !

The build process

App ID

• Uniquely identify your app

• BundleId = <reverse domain name>.<productName>o com.virtusa.MyApp

• AppID ≈ BundleID

• AppID = <prefix>.<bundleID>o Prefix is a 10characters long string auto generated by provisioning portal.

o Example: 9572D83736. com.virtusa.MyApp

Lets see this in portal: we can even attach services such as push notifications (entitlements) that are unique for the specific app. That is because those services must need to identify the app uniquely. For example APNS must know the exact app to push notifications.

Provisioning profile(A PKCS#7 signed plist)

• Why do we need ito Its just a signed plist and apple uses this to verify that the application is

being installed is from an authorized developer and that the contents of it

has not been modified. And moreover apple doesn’t want us to run apps

in any device other than via app store.

• It’s not a must to have it in the .ipa but it’s a must to

have it installed in the device some how.

• To check the provision profiles in the iphoneo Settings-> genaral -> profiles

o You can view proviosion profile in the ipa as embedded.mobileproviosn

Provisioning profile : Anatomy

App ID

UDIDs

Dev Certificate/s

This Unique app

Can run on these restricted devices

With the trust based on the sign by authorized developer/s

What’s inside provisioning profile

• Lets check provision profiles’ validity and its’

content

openssl smime -in /path/to/provisioningProfile -inform der -verify

UDIDs

UUID

Are you kidding

me ?

After the creation of respective entity

• We can’t change any thing in dev cert other than

revoking it

• We can change permissions for services given in the

AppID

• We can change dev cert and device UDIDs in the

provisioning profile

When the app runs

• Take dev cert from provisioning profile and validate

its signature and authenticates it as a trusted

devcert (authenticate)

• Using the public key in that dev cert, decrypt the

encrypted digest and match it with the digest of

the executable file (integrity/nonrepudiation-

developer can’t say its not from me)

• If the device is listed in the provisioning profile let

the app run on the device.

Jargon

• Digital Certificates

• X.509

• PKCS standardo PKCS#7 -> used in provisioning profile

o PKCS#10 -> used in CSR

o PKCS#12 -> used to manage keys

• PKI

• Code Signingo Code Signing Identity

• Provisioning Profiles

• UDID/UUID

• .ipa/.app & AppBundle

Q & A

“The average person’s smartphone knows more about them than their spouse or significant other …”