Dynamically modify the iOS project .mobileprovision - dynamic

Now,I have a big question.I'm doing iOS dynamically compiled function, I want to use an iOS project, compile several different ipa file, use the Enterprise so that these items can be installed to the phone, I use xcodebuild command. But I do not know how to dynamically generate .mobileprovision file. I do not want every time manually generated from the Apple Developer Center

.mobileprovision files comply with RFC 3852 "Cryptographic Message Syntax (CMS)". In addition to the plain-text signing identities, app identifiers, entitlements, permitted test device UDIDs, and other related metadata, these files are cryptographically signed by Apple at the time they are generated on the Certificates, Identities, and Profiles tool. As only Apple holds the cryptographic keys that protect these documents, you will not be able to dynamically alter these files yourself -- you will have to work with the Certificates, Identities, and Profiles tool to be able to generate, request, download, and install profiles Apple generates.
Alternatively, the Certificates, Identities, and Profiles tool permits you to define what is called a Wildcard App ID (ex: com.mycompany.apps.*) that would allow you to use that one provisioning profile with apps under that app id tree:
com.mycompany.apps.myfirstapp
com.mycompany.apps.yetanotherapp
would both work, while:
com.mycompany.someotherapp
would require a different provisioning profile. Use of Wildcard App Ids also limits the kinds of entitlement based services you are permitted to use -- notably things like Push Notifications, Apple Pay, In-App Purchases, and Game Center are specifically disallowed under wildcard provisioning. If your app template requires use of these restricted entitlement based services, wildcard provisioning is not a viable solution and you will have to fall back to interacting with the Certificates, Profiles, and Identities tool.

Related

Google API key security for iOS apps

TLDR:
Does Google check the validity of an iOS app's bundle identifier when restricting the API key to a specific iOS app?
Or is it possible for anyone to mimic the bundle ID in order to launch an attack?
If the latter is false, why not include the API key in the iOS app?
UPDATE 1:
I'm guessing Google doesn't check for Team ID?
Apple Glossary
App ID A string that identifies one or more apps from a single team. An App ID consists of a bundle ID search string preceded by the Team ID, a 10-character string generated by Apple to uniquely identify a team.
I need some directions... (pun intended)
Say I'm building an iOS app that needs to consume the Google Directions API.
Google suggests to "proxy the web service via your server when you're using the API in a mobile app, to protect your API key".
In my project settings in Google Console (API Manager -> Credentials etc) I can restrict the API key to only iOS apps with my bundle identifier (com.example.MyApp).
Since I don't need a server, what's the worse that can happen if I include the key in the app?
The only thing I can think of right now is someone steals the API key and builds an app faking my bundle ID (or even fake the iOS host itself) and fires "unlimited requests" to bring down my service/make me pay a lot of money.
Is this possible?
And if it is, couldn't he do the same even if I hid the API key in the server? Just call my server instead of the API directly.
So what's the gain of having a server in that case?
And would the only solution to prevent this abuse be to require authentication and rate limit each user?
But couldn't then someone create "unlimited" random accounts?!
Do I use captcha?
By then the UX has become pretty awful, especially since authorisation is not even required for my app...
Is there a solution to this, or do I just choose the simplest solution (include the key in the app) and hope for the best?

How does Apple sign apps that it recompiles from bitcode?

I create an app and I sign it and send it to Apple, along with bitcode.
Apple redistributes to millions of people and they can verify my code signature.
Now Apple recompiles my app and distributes again.
How are they able to sign the app so that it will run on those millions of people's devices? Do they have access to my private key and are they forging my signature?
The words of Felix Krause, the "Professional iOS Code Signing Issue Resolver" and the creator of fastlane tool:
"You sign your app and Apple has to sign it also... The fact that you have to code sign on local machine is actual nonsense because Apple basically resigns your app anyway once it gets approved."
For us that means that Apple uses another key pair to sign the app even if they don't have to rebuild it from bitcode. So that's the answer - they don't have access to user's private key, they resign the App with their key. And in case of recompiling app from bitcode - even simpler: compile bitcode, sign binary with App Store key.

Automatically using self signed SSL certificate

I'm creating a launcher for a game I'm making. To gain access to the launcher's menu the user has to first create an account on the game's site, buy the game using it, and then login to the launcher using his credentials. I've set up a php script on the server which accepts a username and password MD5 hash parameter (in the URL), checks to see if the account is in the database and returns relevant information to the launcher.
Since I'm transferring sensitive (albeit encrypted) information over the Internet I've figured that using SSL would be the best way to go about doing this. Since I can't quite afford a legit third party signed certificate I've signed one myself. It's bundled in the launcher and added to the trust store programmatically so that I can use it to connect to that php script and login without any problems.
Now this whole system I've described works just fine, but I've heard from someone that using a self signed SSL certificate without the user's consent is illegal in some countries (namely Denmark, maybe others). I've tried looking this up to see whether I should add some sort of confirmation dialog to the launcher but I couldn't find anything.
I'm located (and developing the program) in Israel, the server is in the Netherlands.
Does anyone know what laws my friend was talking about, and what I should do to avoid breaking them, as well as online sources where I can read more about them?
Some countries have laws against using encryption. Check out Crypto Law Survey for details on each countries' restrictions. The Netherlands appears to have some restrictions, if so, you might want to consider moving your server.

Retrieving data programmatically from a Configuration Profile in IOS

I have been searching all over the apple documentation, including these forums, yet was not able to retrieve a certificate from a configuration profile that I had created and installed on my iPhone.
More specifically:
Using the iPhone Configuration Utility, I created a simple configuration profile that contains a certificate under the Credentials tab.
I am now trying to retrieve this certificate using my iPhone app but without any luck of coming across useful documentation/examples.
I know how to extract PKCS12 data - I just don't know where to find the certificate data to begin with.
Is there a path to the certificate data or to an NSDictionary of configuration profile values?
It seems it is not possible currently to read a profile. See https://devforums.apple.com/message/533356 (requires login).
Was looking for the same thing, to authenticate user as an enterprise employee.

Can I submit an application to iTunes Connect that is signed by another Apple Developer account?

I have a question regarding app submission.
Situation: We have an iPhone Developer account and our customer has an iTunes Connect account. Is it possible that we hand them the signed, zipped application (that is signed with a provisioning profile from OUR account) and they upload it on their account?
Or is it REQUIRED that they give us acces with the "technician" role?
From my first impression, i think it should be possible that both accounts are not in any way connected, but i am not sure.
Any help is appreciated. If it is possible, please post references, Thanks =)
I think the short answer to the question in the title is "No".
See the iTunesConnect > FAQs > Manage your applications
I sold my app to another developer and
can no longer distribute on the App
Store. Can I transfer the app to the
new developer's iTunes Connect
account? At this time, applications
cannot be transferred to another
developer account. If you would like
the application to be sold through
another developer account, you will
need to remove the app from sale in
the current iTunes Connect account and
upload the app under the new iTunes
Connect account.
Not exactly your question, but sounds similar enough.
We had a need to resign a 3rd party developer supplied app with our signing keys - which sounds similar to what you want to do:
1) Use Xcode's Build > Build and Archive feature to create the version of the app to had off to your customer.
2) Select that build in the Archived Applications source in the Organizer
3) Choose Reveal Archived Application in Finder from the contextual menu
4) Select and compress the enclosing folder
5) Send that zip archive to your customer.
Your customer would then unzip and expand that archive in ~/Library/MobileDevice/Archived Applications. That will make it available in the Xcode Organizer. Your customer can then use the Share Application… and/or Submit to iTunes Connect… buttons to re-sign and distribute the app using your customer's distribution provisioning profile.
EDIT: A follow up that may not be clear from the info above.
To be able to do this, the 3rd party developer needs to build the app with your development profile; e.g. they need to be a "Team Member" of your account. They can do nothing more than build the app and sign it with development keys. Then they can deliver a build that has been compiled with your development keys at which point you can re-sign this with your distribution keys and submit.
If you need to, you can remove them and revoke their information from the iOS Provisioning Portal after successful app deployment.
EDIT2: With the Xcode 4 .xarchive bundles, you can just copy the .xarchive bundle into ~/Library/Developer/Xcode/Archives/[date]/ folder. Then it will show up in the Organizer under the Archives section - validate, share and submit from there.