Mac Application security related - objective-c

Can someone please clarify below behaviours from security point of view:
Please note, application will be distributed outside AppStore.
I built mac application (.app) and I have not signed the same with developerid. If I open the app one some other Mac where Security & Privacy setting is Allow downloads from – Mac App Store and identified developers .
In this scenario, will this app supposed to run? As I understand from the security, it should not. But it is running fine without warning.
If I build dmg file with the app and both dog and app are not signed. How should be the behaviour in this case when I click on dmg?
If I sign dmg file not app. What should happen when I click on dmg file and later app?
Only signing dmg is enough?

The Gatekeeper security policy only applies to "downloaded" files. When some apps (e.g. Safari, Mail, Messages, etc) download a file, they apply a com.apple.quarantine extended attribute to the file, marking it as being in quarantine because it was downloaded from an untrusted source. When you open the file, several quarantine-based security policies are applied, including the Gatekeeper policy.
If the file was never placed in quarantine because it was not "downloaded", the Gatekeeper policy will not be applied. Note that copying files via USB disks, AFP or SMB file sharing, etc do not apply the quarantine attribute (see this Apple.SE question).
If you want to test the quarantine behavior, you can create your own com.apple.quarantine attribute with either of the procedures described here.
If the disk image is quarantined, the quarantine will be applied to its contents and running the app will apply the Gatekeeper policy. If the disk image is not quarantined, Gatekeeper will not activate.
Under older versions of OS X (through 10.11), signing the disk image is irrelevant. If the disk image is quarantined, the app contained in it will be as well, and so the app must be signed to run.
[UPDATE] Starting in macOS Sierra (10.12), signing the disk image is sometimes required in addition to signing the app. The details are complicated, so for simplicity's sake I'll just recommend signing your disk images. But be sure to do the signing under 10.11.5 or later; that's when Apple added the ability to embed a signature in a disk image in a way that won't be lost when it's downloaded.

Related

vb.net db application - deployment

developed a win. form vb.net db app that uses an access.accdb backend. I am struggling to find the best deployment strategy. In the past, I have distributed the .exe and access.accdb from the /bin/debug folder. This works, but Im not sure if it's the best method.
this db app. will be used by 5-10 ppl, non-simultaneous
my current plan is to put the .exe and access.accdb on a network share drive, users will launch from network share
users do not have admin privs, the computers have strict security settings
I have noticed that when launching the .exe from network share, you get the unknown publisher warning; this message does not appear when launching from local drive. Due to users security restrictions, I know that simply hitting 'continue/run' on the publisher warning is NOT an option. There is no 'continue/run' button.
So, I assume I have to buy a code signing cert and strong name sign the assembly?
I also read here http://msdn.microsoft.com/en-us/library/142dbbz4%28v=vs.80%29.aspx that clickonce deployment does not require admin privs, and can be launched from network share and ran from cache.
In this case, I buy Authenticode cert and sign the clickonce manifest?
Any advice?
edit
I left out a key function of the app that will affect deployment.
Users can select files and upload them. The basePath/filename is stored in the db. uploading and retrieving the file via openFileDialog and datagridview.cellContentClick is all relative to where the .exe is launched from (application.startupPath). I didn't want to hard code full paths into the db, because I'm sure it will be moved, (both app and files) over time to a new location.
ClickOnce deployment is the way to go here.
You do not have to buy anything, you can self sign your assembly with a strong name.
This should be fine for an internal application

Does it break "terms of use" to store my app settings in SkyDrive?

My app runs on Android, iOS, WebSite, WindowsPhone, and now Windows 8. I use SkyDrive already. It's where I store the file(s) my app creates.
It would not be technically difficult to also store my app settings in SkyDrive. This would let me have a "unified" settings experience across devices. That's nice.
Is this allowed? I can do it "technically" can I do it "legally"?
It does not. SkyDrive does not preclude you from using the SkyDrive folders for a repository of a settings file (like a XAML file or something). It is not a violation of ToS.
This used to NOT be allowed. But, I have confirmed this change with a/the SkyDrive PM.
Warning! There is no protected area of SkyDrive for apps to store this sort of information. As a result, the user could delete or tamper with settings files at any time. If you decide to use SkyDrive to store these files, also create a mitigation plan if they are missing or damaged.

iOS - Prevent iPhone Configuration Profile from being deleted OR check to see if it's installed

I'm working on an iOS enterprise app that relies on an Configuration Profile being put on the phone. Unfortunately, the user can "cancel" this profile, which really screws with our app.
So I was wondering if a) is it possible to prevent a configuration profile from being deleted OR
b) is there a way to check to see if a configuration profile is installed already (say, at runtime, then we can just install it again if it's not there)?
If you want the configuration profile not to be tampered with / disabled by the user, this is possible! If you're using Apple Configurator to build your .mobileconfig file in the generals tab select security as never. Be aware: once the profile is installed on the device it cannot be reverted unless you restore the device
The long story short is there is no current documented way to even programmatically call / install a configuration profile (.mobileconfig) file onto the device: so if you're thinking about checking whether the profile exists and if not to install it, it's impossible (as for available documentation thus far) - if you do find a way let me know
Note:
.mobileconfig files can only run through Safari / Mail.
This similar SO discussion may help: Installing a configuration profile on iPhone - programmatically
It is possible to check is .mobileconfig is installed.
What you need to do is:
Create CA (certificate authority) and export it as .cer.
Issue certificate using created CA and export is as well as .cer.
Using Apple Configurator app add CA .cer in the certificates area.
Mobile configuration profile will have CA .cer.
Issued certificate (on step two) add to app bundle.
Using Security framework evaluate (SecTrustEvaluate) issued
certificate on step 2.

Automatic file selection for upload

Is it possible for a website to automatically find a folder on usb stick and upload all the files in it to the web server by clicking only one button?
The problem is that I don't know how to make upload form automatically detect usb stick as the drive name(ie. G:, F:, etc) may vary from computer to computer, so hard coding path is not possible.
Ps. I'm using yii framework for site development, but can add a new page that will handle this in any other language as the client really wants this feature.
Web sites are not allowed to set default files to upload (it's a major security risk!). Also, web sites cannot scan the hard drive/enumerate what file systems exist on a system, again, for security purposes.
It might be possibly to do this with Flash/Silverlight/Java. Java seems the most likely to allow a web developer to do this (Java plugin seems to be quite willing to give out every permission under the Sun).
Short answer: No.
Long answer: Allowing automatic uploads in web browsers would be a huge security hole so the browsers intentionally prevent it. Even if you manage to find a hole that permits it, the browser makers will break it as soon as they find out.
However, if you have an environment where an actual separate program can be installed on the end user's computer you could easily write a program to do automated uploads of specified directories when launched.

Backing up dolfin browser saved passwords in bada

I'm using a Samsung Wave 2 with Bada OS on it. I'm wondering if I can see / backup my saved passwords on Dolfin Browser. I can code if required.
It seems the l/p pairs are stored in \User\Br\SFB\FF.dat. I may be wrong though; it's just some hours ago that I've started examining the full file system content of Bada 1.x. Of course the file is fully encrypted.
I will quickly check out whether, after enabling TKFileExplorer on the phone itself (see the mini-tutorial at http://www.mortara.org/board/viewtopic.php?f=14&t=138#p417 for more info), you can access the full file system from inside Bada apps. To browse it from a PC, I recommend TkFileExplorer 2.4 (NOT 2.2, it didn't work with my 723) available at http://forum.xda-developers.com/showpost.php?p=12515691&postcount=20 .
Will report back soon on the sandbox restrictions of TKFileExplorer'ed phones - hope they behave like jailbroken iOS ones (read: no sandbox any more).