Upload
madusha-perera
View
133
Download
4
Embed Size (px)
Citation preview
To do List !
1. Generating and installing A developer certificate
2. Creating AN App ID for your app/s
3. Creating A Provisioning Profile for your app
4. Registering the devices you want the app to be
tested on
Why apple made this a mission impossible task!
• Apple guarantees to the the apple device
(iPhone/iPad,…) owner that any app he runs on the
device is created by an authorized (trusted) apple
developer.
(hopefully the device must not have jail broken)
• Authenticity
Ensures whether you are a real authorized
Apple developer (are you sure you paid $99)
• Integrity
Has the code being modified on the way
to the device by some one else
• Non-Repudiation
Developer must be responsible of what he has
sent (dev can’t say “hey I didn’t do that”)
Lets take an Example
• ComBank Online
• Buy a certificate from Comodo
To request for a certificate you need to create a
Key Pair (Private/Public keys) and CSR.
Ex: using openssl but for our case we’ll have
them created automatically as you will see later
? #$#^$^%*%
Hi Handsome
Cleopatra’s private key = 2
Cleopatra’s public key = 25
public key = |Σ| - private key,where public key , private key < |Σ|
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z1 2 3 4 5 6 7 8 9 1
011
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Hi handsome = 8 9 27 8 1 14 4 19 15 13 5
encrypt with private key = 2
10 11 2 10 3 16 6 21 17 15 7
Encryption/Dycription formula:output = (charValue + private key ) % |Σ|
= (charValue + 2) % 27
10 11 2 10 3 16 6 21 17 15 7
decrypt using public key = 25
Encryption/Dycription formula:output = (charValue + public key ) % |Σ|
= (charValue + 25) % 27
8 9 27 8 1 14 4 19 15 13 5 = Hi handsome
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z1 2 3 4 5 6 7 8 9 1
011
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
What does a CSR hasPKCS #10 spec
Information Description
Distinguished Name (DN) www.commercialbk.com (fully qualified domain name)
Business/Organization Name Commercial Bank
Department Name IT
Town/City Colombo
Province/State Western
Country LK
Email address ######
Public Key ######
FEE+
Senders Digital Certificate
Certificate
Org : Commercial BankIssuer : ComodoPublic Key : ###
hash (sha1)digest
encrypt using Comodo’sprivate key
signature
Certificate
Org : Commercial BankIssuer : ComodoPublic Key : ###
attach the signatureto the certificate
How receiver(browser) authenticates the web site
Certificate
Org : Commercial BankIssuer : ComodoPublic Key : ###
decrypt using Comodo’spublic key
CA Certificate
Org : ComodoIssuer : ComodoPublic Key : #####
hash (sha1)
digest digest
Equal?
yestrust www.commercialbk.com site
Code Sign
Executable file
encrypt with developer’s private key
hashdigest
App Bundle
.app
• executable file• provisioning profile• info.plist• icons … etc.
Where the hell is App Bundle?
• This is the <AppName>.app inside your .ipa
• You can view package contents by right clicking .app
Lets check whether the code is really signed
codesign --display --verbose=4 /path/to/appBundle/exeFile
Machan,codesign is the utility which Xcode uses to
sign your code !
App ID
• Uniquely identify your app
• BundleId = <reverse domain name>.<productName>o com.virtusa.MyApp
• AppID ≈ BundleID
• AppID = <prefix>.<bundleID>o Prefix is a 10characters long string auto generated by provisioning portal.
o Example: 9572D83736. com.virtusa.MyApp
Lets see this in portal: we can even attach services such as push notifications (entitlements) that are unique for the specific app. That is because those services must need to identify the app uniquely. For example APNS must know the exact app to push notifications.
Provisioning profile(A PKCS#7 signed plist)
• Why do we need ito Its just a signed plist and apple uses this to verify that the application is
being installed is from an authorized developer and that the contents of it
has not been modified. And moreover apple doesn’t want us to run apps
in any device other than via app store.
• It’s not a must to have it in the .ipa but it’s a must to
have it installed in the device some how.
• To check the provision profiles in the iphoneo Settings-> genaral -> profiles
o You can view proviosion profile in the ipa as embedded.mobileproviosn
Provisioning profile : Anatomy
App ID
UDIDs
Dev Certificate/s
This Unique app
Can run on these restricted devices
With the trust based on the sign by authorized developer/s
What’s inside provisioning profile
• Lets check provision profiles’ validity and its’
content
openssl smime -in /path/to/provisioningProfile -inform der -verify
After the creation of respective entity
• We can’t change any thing in dev cert other than
revoking it
• We can change permissions for services given in the
AppID
• We can change dev cert and device UDIDs in the
provisioning profile
When the app runs
• Take dev cert from provisioning profile and validate
its signature and authenticates it as a trusted
devcert (authenticate)
• Using the public key in that dev cert, decrypt the
encrypted digest and match it with the digest of
the executable file (integrity/nonrepudiation-
developer can’t say its not from me)
• If the device is listed in the provisioning profile let
the app run on the device.
Jargon
• Digital Certificates
• X.509
• PKCS standardo PKCS#7 -> used in provisioning profile
o PKCS#10 -> used in CSR
o PKCS#12 -> used to manage keys
• PKI
• Code Signingo Code Signing Identity
• Provisioning Profiles
• UDID/UUID
• .ipa/.app & AppBundle