iOS Provisioning Profiles and Signing Certifications

iOS Provisioning Profiles and Signing Certifications

1. 1. iOS Provisioning Profiles and Signing Certificates Andre Asselin
2. 2. 2 Provisioning profiles, signing certificates, etc. All about iOS security iOS security has two parts ① Authentication • Ensure an app is really the app it claims to be • Ability to identify which app is attempting to perform an operation ② Authorization • Ensure only authorized apps can be installed/run on a device • Ensure a particular app can perform only the operations it’s allowed to do The big picture
3. 3. 3 Some Terms We’re Going to Use Bundle ID Uniquely identifies an app Application Service Something the app can do, such as in-app purchases or push notifications App ID Associates 1 or more bundle IDs with application services under a name Signing certificate / Signing identity A public-private key pair that identifies who signed an app, and verifies that the app hasn't been modified since it was signed Device ID Uniquely identifies a device Provisioning profile Associates 1 app ID, 1 or more certificates, and 0 or more devices under a name Team The people who have been added to a particular Apple Developer Account
4. 4. 4 How These All Relate (UML)
5. 5. Bundle ID and App ID: Identifying an App
6. 6. 6 Bundle ID • A bundle ID uniquely identifies an app • Syntax • Can contain only alphanumeric characters (A-Z, a-z, 0-9), hyphen (-), and period (.) • Is case sensitive • Example: com.pointsource.example • Entered into the Xcode project file for an iOS app
7. 7. 7 App ID • An app ID associates 1 or more bundle IDs with application services • The association is given a name • Created and maintained on the Apple developer site
8. 8. 8 Examples of Application Services
9. 9. Explicit and Wildcard App IDs 9 There are two types of App IDs ① Explicit App ID Matches a single specific bundle ID. Example: com.pointsource.example ② Wildcard App ID Can match multiple bundle IDs. Example: com.pointsource*
10. 10. 10 Why Not Always Use a Wildcard App ID? • Some Application Services can not be associated with a Wildcard App ID, such as Push Notifications, Apple Pay, and In-app purchase • You can not distribute an Enterprise App using a Wildcard App ID • An Enterprise app (aka In-house or UniversalDistribution) is one created using the Apple Developer Enterprise Program that is usually distributed for use inside a company (see In House Provisioning Profile). • Note: You can distribute an app via the App Store using a Wildcard App ID
11. 11. 11 Summarizing • Explicit App ID is a kind of App ID • Wildcard App ID is a kind of App ID • App IDs have 0 or more Application Services associated with them
12. 12. 12 Further Notes An Explicit App ID can not be deleted for an app that has been uploaded to iTunes Connect
13. 13. Signing Certificates: Proving an App’s Identity (Part 1)
14. 14. 14 Signing Certificates Signing Certificates (also known as Signing Identity) • Prove who signed an app • Verifies that an app wasn’t tampered with after it was signed
15. 15. 15 Two Ways to Create a Signing Certificate • You can use Xcode to create (or fix) a Signing Certificate in Preferences / Accounts • You can create a Signing Certificate through the Member Center website • First create a certificate signing request using Keychain access / Certificate assistant / Request a Certificate from a Certificate Authority… • Upload the signing request file • Download the newly generated certificate
16. 16. 16 Creating a Signing Certificate via Xcode
17. 17. 17 Creating a Signing Certificate via Keychain Access
18. 18. Device ID: Identifying a Device
19. 19. 19 UDID • Every iOS device has an ID that uniquely identifies it • UDID (Unique Device Identifier) • You can add up to 100 devices per type to an Apple developer account per year • The types are: Apple TV, Apple Watch, iPad, iPhone, iPod Touch • UDIDs are managed through Member Center • During the year your account is active, any devices that are removed will still use one of the 100 slots • When you renew your account, the slots for removed devices will be freed up, and you can replace them with different devices • (Jumping ahead) Devices can be added to a development or ad-hoc Provisioning Profile to allow an app built with that Provisioning Profile to be installed/run on those devices
20. 20. 20 Retrieving UDID via iTunes
21. 21. 21 Retrieving UDID via iTunes
22. 22. App Distribution and Provisioning Profiles
23. 23. 23 App Distribution • Apple controls which apps are allowed to be installed on an iOS device by using the information from a Provisioning Profile that is embedded in the app • Provisioning Profiles ensure • Only apps authorized for a particular iOS device can be installed/run on that device • A debugger can’t be attached to apps built in release mode
24. 24. 24 App Distribution Use Cases The world
25. 25. 25 App Distribution Use Cases The world Development Profile Ad-Hoc Profile In-House Profile App Store Profile
26. 26. 26 How Provisioning Profiles Relate to Apple Developer Accounts • Two types of Apple Developer accounts • Apple Developer Program • Apple Developer Enterprise Program • The difference between them is which types of Provisioning Profiles are allowed on each
27. 27. 27 Provisioning Profiles Allowed on Apple Accounts Apple Developer Program Apple Developer Enterprise Program Development ✓ ✓ Ad-hoc ✓ ✓ App Store ✓ ✕ In-house ✕ ✓
28. 28. 28 Provisioning Profiles • A Provisioning Profile associates • Exactly 1 App ID • 1 or more Signing Certificates • 0 or more Device IDs (UDIDs) • Provisioning Profiles are created and maintained on Member Center • The association is given a friendly name, but is uniquely identified by a UUID • You can have multiple provisioning profiles with the same name and different UUIDs (although this will be confusing)
29. 29. 29 Relationship Between Provisioning Profile Types
30. 30. 30 Development Provisioning Profile • Used to allow a developer to install an app on a device during development • Allows debugging the app • Contains 1 or more Development Signing Certificates and 1 or more device IDs (UDIDs)
31. 31. 31 Team Provisioning Profile • A Team Provisioning Profile is a kind of development Provisioning Profile. • Xcode’s attempt to make Provisioning Profiles user friendly during development • Allows any app developed by a team to be signed by any team member and installed on any team device • Examples: "iOS Team Provisioning Profile:*", "iOS Team Provisioning Profile:com.pointsource.example" • Xcode updates the team Provisioning Profile whenever you register a device, create a development Signing Certificate, or modify the Bundle ID through Xcode • Changes made using Member Center don't automatically update team Provisioning Profiles • To select the Team Provisioning Profile in Xcode, select "Automatic" for the Provisioning Profile under Code Signing
32. 32. 32 Team Provisioning Profile (2) • Contains: • A wildcard App ID that matches all your team's apps or an explicit App ID that matches a single app. • All devices associated with the team. • All development Signing Certificate associated with the team. • Wildcard vs explicit App ID • If your app can use a wildcard App ID during development, Xcode creates a team Provisioning Profile containing a wildcard App ID • If you add an Application Service that requires an explicit App ID, Xcode creates an explicit App ID and a corresponding team Provisioning Profile • You are not allowed to edit a team Provisioning Profile on Member Center
33. 33. 33 Distribution Provisioning Profile • Debugging is disabled • Has exactly 1 Distribution Signing Certificate • Three types of Distribution Provisioning Profiles: App Store, Ad hoc, In House
34. 34. 34 App Store Provisioning Profile • Allows distributing an app to an unlimited number of devices through the App Store • Has no device IDs (UDIDs) associated with it • Available only in the Apple Developer Program (vs Apple Developer Enterprise Program)
35. 35. 35 In House Provisioning Profile • Allows distributing an app to an unlimited number of devices outside of the App Store. For example: distributed on an internal company website. • Also known as iOS Universal Distribution in Member Center • Has no device IDs (UDIDs) associated with it • Available only in the Apple Developer Enterprise Program (vs Apple Developer Program)
36. 36. 36 In House Provisioning Profile (2) Note: Apps distributed with an in house Provisioning Profile will not run until the user clicks to trust the developer. • An error message will display saying the developer is not trusted • On iOS 9, to trust the app, go to Settings / General / Profile / <Company Name>, and select "Trust <Company Name>"
37. 37. 37 Ad Hoc Provisioning Profile • Allows your app to be installed on designated devices • Example use case: distribution to QA for testing • Contains 1 or more device IDs (UDIDs) • Can be distributed and installed though iTunes, the X Code organizer or though the web
38. 38. 38 Ad Hoc Provisioning Profile (2) Note: Like the In-House Provisioning Profile, apps distributed using an ad hoc Provisioning Profile created on an Apple Developer Enterprise Program account (vs Apple Developer Program) will not run until the user clicks to trust the developer. • An error message will display saying the developer is not trusted • On iOS 9, to trust the app, go to Settings / General / Profile / <Company Name>, and select "Trust <Company Name>"
39. 39. 39 Expiration and Invalidation • Provisioning profiles expire after one year • Provisioning profiles become invalid on Member Center if • Its App ID is deleted • It contains a Signing Certificate that has been revoked • It contains a device ID (UDID) that has been disabled
40. 40. 40 Provisioning Profiles are Copied and Cached Copied to Embedded in
41. 41. 41 Regeneration • Because Provisioning Profiles are copied and cached, when a Provisioning Profile is invalidated on Member Center, it does not affect anybody who previously downloaded it to their Mac, nor any apps already built with it • For example: You may still run your app on a disabled device if an app is built with an older version of the Provisioning Profile that still contains that device’s UDID • When a Provisioning Profile is regenerated, it generates a whole new profile, with a new UUID • The old Provisioning Profile is unaffected and can still be used, unless it’s expired • Xcode will only automatically regenerate team Provisioning Profiles. It will not automatically regenerate distribution Provisioning Profiles or custom development Provisioning Profiles.
42. 42. 42 Further Notes • Stored in Member Center and cached locally in "~/Library/MobileDevice/Provisioning Profiles” • Filename in "~/Library/MobileDevice/Provisioning Profiles" will be <UUID>.mobileprovision.
43. 43. Signing Certificates (Part 2)
44. 44. 44 Two Types of Signing Certificates
45. 45. 45 Development Signing Certificate • Used in a development Provisioning Profile • Allows debugging apps • Identifies a person on your team • Can be created by a team member • Limit of 1 iOS development Signing Certificate per team member • Contains the person's name. Example: iPhone Developer: Wendy Jones
46. 46. 46 Distribution Signing Certificate • Also known as Production Certificate (on Member Center) • Used in a Distribution Provisioning Profile (Ad hoc, In House, and App Store) • Identifies the team • Owned by the team— shared by multiple team members who have permission to distribute apps • Contains the team name. Example: iPhone Distribution: PointSource, LLC • Can only be created by a team agent or admin • Limit of 2 distribution Signing Certificates active at the same time; each is independent from the other • The second certificate is intended to provide an overlapping period during which you can update your apps before the first certificate expires
47. 47. 47 Expiration • Apple Developer Program Signing Certificates expire after 1 year • Apple Developer Enterprise Program Signing Certificates expire after 3 years
48. 48. 48 Revoking • If you revoke a Signing Certificate, any Provisioning Profile that contains that certificate becomes invalid • Revoking a distribution Signing Certificate doesn’t affect your development Signing Certificates or development Provisioning Profiles • Similarly, revoking a development Signing Certificate doesn't affect your distribution Signing Certificates or distribution Provisioning Profiles • Revoking a Signing Certificate doesn't affect apps that you've submitted to the App store nor does it affect your ability to update them • This is because Apple re-signs apps before distributing to customers
49. 49. 49 Regeneration is Not Allowed • Signing Certificates can not be recreated / regenerated. If a certificate expires or is revoked, a new one must be created. • If Xcode detects an issue with a Signing Certificate, it displays an appropriate action in Accounts preferences. • If Xcode displays a Create button, the Signing Certificate doesn't exist in Member Center or on your Mac. • If Xcode displays a Reset button, the Signing Certificate is not usable on your Mac—for example, it is missing the private key. If you click the Reset button, Xcode revokes and re-creates the corresponding certificate.
50. 50. 50 Aside: Using PKI for Signatures Key Generation Signing and Verification
51. 51. 51 The Private Key Only Exists on the Mac that Created the Key Key and certificate creation
52. 52. 52 What You’ll see in Keychain Access Certificate only– no private key Certificate and private key
53. 53. 53 You can move your Signing Certificates (including the private keys) from one Mac to another and back them up by exporting a Developer Profile (not to be confused with a Development Provisioning Profile) from the Accounts tab in Xcode's preferences. Setting Up a New Mac
54. 54. 54 Note that resources such as images and nib files aren't signed; therefore, a change to these files doesn't invalidate the signature Further Notes
55. 55. Thank you www.PointSource.com 55