iossecurityiphone-developer-programcode-signing-certificate

How to get access to iOS Developer Certificate from code


Is there a way to know with which certificate app was signed?

I want to protect app from resigning with another developer certificate.

Let's say we have client-server application. And server keeps that unique key, associated with Developer Certificate.

So with every request to server we will pass this key, and if app will be reassembled with another developer's certificate, then server will know this.

This is possible? Or may be there another way to protect from resigning?


Solution

  • You can know the certificate and provisioning profile used to sign the app by manually parsing out data in the embedded.mobileprovision file that is included in the app bundle. If you look through the file you'll see information about the certificate and provisioning profile.

    Here's an example of how to get embedded profile data from within your app programmatically:

    NSString* bundleDirectory = [[NSBundle mainBundle] bundlePath];
    NSString* db = [NSString stringWithFormat:@"%@/embedded.mobileprovision", bundleDirectory];
    NSData* data = [NSData dataWithContentsOfFile:db];
    // parse through the data to get your provisioning profile info. I'd recommend opening up the profile that is inside your .app to see how it is structured.
    

    HOWEVER:

    I'm not sure why you'd need to do this since no one can re-sign your app unless they have the right certificate to match the provisioning profile made for your app's bundle ID.

    The only way to get that is to have credentials to the apple developer account that owns the bundle ID OR if someone 'got access' to your certificate and provisioning profile.

    If the latter occurred I believe you should revoke that provisioning profile from within the apple developer account and create a new one to work around the security breach. This way as long as you have access to the developer account you can always stomp on such a security breach that way, instead of writing code between client and server to check for it.