3. To do List !
1. Generating and installing A developer certificate
2. Creating AN App ID for your app/s
3. Creating A Provisioning Profile for your app
4. Registering the devices you want the app to be
tested on
4. Why apple made this a
mission impossible task!
• Apple guarantees to the the apple device
(iPhone/iPad,…) owner that any app he runs on the
device is created by an authorized (trusted) apple
developer.
(hopefully the device must not have jail broken)
7. • Authenticity
Ensures whether you are a real authorized
Apple developer (are you sure you paid $99)
• Integrity
Has the code being modified on the way
to the device by some one else
• Non-Repudiation
Developer must be responsible of what he has
sent (dev can’t say “hey I didn’t do that”)
12. What does a digital
certificate has
X.509 standard
public key
digital signature
13. Lets take an Example
• ComBank Online
• Buy a certificate from Comodo
To request for a certificate you need to create a
Key Pair (Private/Public keys) and CSR.
Ex: using openssl but for our case we’ll have
them created automatically as you will see later
14. ? #$#^$^%*%
Hi Handsome
Cleopatra’s private key =
2
Cleopatra’s public key = 25
public key = |Σ| - private key,
where public key , private key < |Σ|
15. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 2 3 4 5 6 7 8 9 1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
Hi handsome = 8 9 27 8 1 14 4 19 15 13 5
encrypt with
private key = 2
10 11 2 10 3 16 6 21 17 15 7
Encryption/Dycription formula:
output = (charValue + private key ) % |Σ|
= (charValue + 2) % 27
16. 10 11 2 10 3 16 6 21 17 15 7
decrypt using public key = 25
Encryption/Dycription formula:
output = (charValue + public key ) % |Σ|
= (charValue + 25) % 27
8 9 27 8 1 14 4 19 15 13 5 = Hi handsome
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 2 3 4 5 6 7 8 9 1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
17. What does a CSR has
PKCS #10 spec
Information Description
Distinguished Name (DN) www.commercialbk.com (fully qualified domain name)
Business/Organization Name Commercial Bank
Department Name IT
Town/City Colombo
Province/State Western
Country LK
Email address ######
Public Key ######
FEE
+
20. Senders Digital Certificate
Certificate
Org : Commercial Bank
Issuer : Comodo
Public Key : ###
hash (sha1)
digest
encrypt using
Comodo’s
private key
signature
Certificate
Org : Commercial Bank
Issuer : Comodo
Public Key : ###
attach the signature
to the certificate
21. How receiver(browser)
authenticates the web site
Certificate
Org : Commercial Bank
Issuer : Comodo
Public Key : ###
decrypt using
Comodo’s
public key
CA Certificate
Org : Comodo
Issuer : Comodo
Public Key : #####
hash (sha1)
digest digest
Equal
?
yes
trust www.commercialbk.com site
22. Lets create a Dev cert for
our selves
code signing identity
(public key + private key)
24. Where the hell is
App Bundle?
• This is the <AppName>.app inside your .ipa
• You can view package contents by right clicking .app
25. Lets check whether the
code is really signed
codesign --display --verbose=4
/path/to/appBundle/exeFile
Machan,
codesign is the utility
which Xcode uses to
sign your code !
27. App ID
• Uniquely identify your app
• BundleId = <reverse domain name>.<productName>
o com.virtusa.MyApp
• AppID ≈ BundleID
• AppID = <prefix>.<bundleID>
o Prefix is a 10characters long string auto generated by provisioning portal.
o Example: 9572D83736. com.virtusa.MyApp
Lets see this in portal: we can even attach services such as push notifications
(entitlements) that are unique for the specific app. That is because those
services must need to identify the app uniquely. For example APNS must
know the exact app to push notifications.
28. Provisioning profile
(A PKCS#7 signed plist)
• Why do we need it
o Its just a signed plist and apple uses this to verify that the application is
being installed is from an authorized developer and that the contents of it
has not been modified. And moreover apple doesn’t want us to run apps
in any device other than via app store.
• It’s not a must to have it in the .ipa but it’s a must to
have it installed in the device some how.
• To check the provision profiles in the iphone
o Settings-> genaral -> profiles
o You can view proviosion profile in the ipa as embedded.mobileproviosn
29. Provisioning profile :
Anatomy
App ID
UDIDs
Dev Certificate/s
This Unique app
Can run on these
restricted devices
With the trust based on
the sign by authorized
developer/s
33. After the creation of
respective entity
• We can’t change any thing in dev cert other than
revoking it
• We can change permissions for services given in the
AppID
• We can change dev cert and device UDIDs in the
provisioning profile
34. When the app runs
• Take dev cert from provisioning profile and validate
its signature and authenticates it as a trusted
devcert (authenticate)
• Using the public key in that dev cert, decrypt the
encrypted digest and match it with the digest of
the executable file (integrity/nonrepudiation-
developer can’t say its not from me)
• If the device is listed in the provisioning profile let
the app run on the device.
35. Jargon
• Digital Certificates
• X.509
• PKCS standard
o PKCS#7 -> used in provisioning profile
o PKCS#10 -> used in CSR
o PKCS#12 -> used to manage keys
• PKI
• Code Signing
o Code Signing Identity
• Provisioning Profiles
• UDID/UUID
• .ipa/.app & AppBundle
36. Q & A
“The average person’s smartphone knows more about them than their
spouse or significant other …”
Editor's Notes
Through a certificate. Apple will give us (iOS developers) a certificate for money. Yes for $99.
This certificate is a digital certificate and you will need it to sign the code of your app later. But why simply to gain trust. This will help to preserve some key concepts in Information Security while fulfilling the Apples promise to the device owner.
PKI is the infrastructure made up of procedures and software's to manage digital certificates.
X.509 is the standard that defines format of digital certificates
Eventually this CSR will be submitted as a .P10 (in PKCS10 format) file.
Lets talk about public key encryption. Here’s a small key creation algorithm I have devised.
Export the code signing identity as a .p12 file so that you can have it any where.Note WWDRCA(World wide developer relations certificate authority)
.ipa is just an archive which has the app bundle. Payload is the sandbox and contains app bundle + documents folder + library folder + tmp folder
Lets create an ipa and test the app bundle for signature.
PKCS#7 is a standard but it has main 2 flavors. pem and der. Apple favours .der format.
This is signed and is always validated when installed on the device.
Dev cert is encoded in base64 and embedded to the pp.
UDID(Unique Device Identifier) is the unique number for each device. Hexa decimal value of 40characters. Can check in iTunes.
UUID(Universally Unique Identifier) is to uniquely identify an app inside a device. If the app gets re installed UUID changes. The UUID will change when theres an update to the provisional profile.