I've created an Azure DevOps pipeline for building a React Native mobile application for iOS. I have a service connection to Apple's App Store Connect and it uploads the build to TestFlight as expected. I am also passing Release Notes to the AppStoreRelease task and this requires FastLane credentials to get around the Two Factor Authentication.
I tried the approach of creating a fastlane session ID locally and putting that onto the service connection as per https://github.com/fastlane/fastlane/blob/master/spaceship/README.md#support-for-ci-machines. This approach works fine but the session times out and it has to be done again which isn't a sustainable approach.
I've seen documentation on using App Store Connect keys to authenticate (https://docs.fastlane.tools/app-store-connect-api/), but haven't seen any documentation on how to do this for Azure DevOps. Has anyone done this and can provide documentation or a point in the right direction.
Related
I am trying to implement Sign in with Apple for my IOS app using realm sync. I am using the sign in to authenticate the user into realm. The thing I do not understand is that I am following these steps from the mongodb setup Apple ID signin:
In Step 2 on creating a services ID for the app in dev portal of apple. We must activate the Sign in with Apple service within the service identifier:
In order to do this we have to provide domains and return URLs? This is all done to create a JWT to put into realm for when activating the apple signing method on realm's side. I am confused by this - isn’t this only for web apps? Do I have to setup a web service on a cloud for this part? I see numerous tutorials on implementing Apple Sign In with Firebase and that's not required.
I genuinely don’t understand what I am supposed to do here. After reading Apple's docs, it shows that you have to do these steps if you are signing in through Apple on a different platform (we are signing in from iOS).
I tried finding tutorials or video examples of people implementing this on their realm database with iOS and I could not find any. I also tried to skip the step of creating a service ID and use the app ID in the script to create the JWT but it ends up being invalid.
I'm trying to setup Kahuna for my iOS app, and haven't been able to find a clear answer - the docs says that the secret key is meant to be used with the API Key for authenticating requests, but I can't find anything that states clearly if either of these should be kept secret/out of source code. Are these safe to put in my code, or should they be kept on the server side?
Thanks
Are these safe to put in my code, or should they be kept on the server side?
Short Answer is no for keeping them on the mobile app code and yes to keep them on the server side.
Why?
Because they will be static secrets in your mobile app code, thus they are easily extracted by using any reverse engineer tool, like using the Mobile Security Framewrok(MSF) to decompile the app binary.
Alternatives?
Well you can try code obfuscation, to generate the secrets dynamical in the mobile app or to store the secrets in the iOS keychain, but once more they can be reverse engineered at run-time, once more by using the MSF tool.
Possible Solution?
The best approach is to use a Mobile App Attestation service to protect the connection between the mobile app and the API server, that will guarantee at run-time that your App is not being man in the middle attacked, being tampered with, that is not running in a rooted or jail broken device and that is the same original one uploaded into the app store. This is done in the background without impacting the user experience by using an SDK integrated in your App and a service running in the cloud.
With this guarantees in place we don't need any-more to store secrets in the mobile app for Authentication, Authenticity and Integrity purposes, thus any access to third part services within the App can now be delegated to the API server that will be able to do a better job of protecting all the necessary secrets to access the third part services, like storing them in a vault.
You can find a Mobile App Attestation service in Approov(I work here) that provides SDKs for several platforms, including iOS. The integration will also need a small check in the API server code to verify the JWT token. This check is necessary for the API server to be able to decide what requests to serve and what ones to deny.
We are developing an iOS application in Xamarin, which will be distributed via MobileIron. We are also developing the Backend WebServices (rest).
What I need to know is, when a web service call comes to my API, I want to make sure, that the call is coming from a client who is logged-in to my app with his Active-Directory credentials, using MobileIron.
The MobileIron website has plenty of information, but is also a bit chaotic.
What MobileIron products are needed for my use case?
Whats the best way to protect my WebServices and allow just requests from our iOS Application with correct AD-Credentials?
Do I need the AppConnect SDK or can I just wrap the iOS Application in MobileIron? If I need the SDK, are there any examples?
Thanks in advance!
Cheers
Immi
Here is one way how it should work, we have this built up in our environment.
Assuming that the target devices are managed by the MobileIron MDM system with MobileIron Core (MDM) & MobileIron Sentry (Gateway -> Intranet).
You can configure MobileIron Sentry in this way, that a webrequest from an AppConnect enabled app (no matter if SDK included or wrapped!) will be authenticated with user certificate from device, Sentry obtains Kerberos ticket from domain controller for the user and then forwards the web request to a website / webservice where Kerberos authentication is enabled and the user has access granted.
There are many things to configure for this to work (CA, user certificate -> device, service account with delegation configured in AD, SPN for website configured in AD,...) and there is a good support document available from MobileIron to make this up & running.
It's to extensive to describe here all steps.
If this is already setup in the target environment (if there is already another AppConnect app), there are only a few steps left (SPN and MI app-specific AppConnect Config).
The good news is, that the app itself does not have to take care of the authentication. The MobileIron stuff does this on its own...
So my current task at the company I'm interning with is to create a mobile version (iOS) of a web app written using Flask, HTML & CSS that currently exists and is being hosted on AWS's EC2. Assume I'm a complete noob at AWS and only just learned that EC2 is a cloud computing service.
Essentially, I just want to be able to reflect what's currently on EC2 over to a mobile app in a secure fashion. I guess I'm just trying to avoid rebuilding something in Swift that's already been done. For those familiar with WebView in Xcode, I tried to use that to reflect the web page, but it didn't work (I assume because our web app on EC2 requires login credentials when you open it in a browser?).
I thought that maybe using AWS's SDK for iOS would net me some luck, so I installed cocoapods and setup a pod, but don't know how or which of these AWS services will help me achieve what I'm trying to do (from reading the documentation, it seems like their purpose is for building an app, not necessarily just projecting a webpage with data already in it).
For some more information, some key features that I think would be useful for our clients that would be using the app are:
The ability to persist data on the app when their device is offline
Some sort of temporary logins for the users. This app wouldn't be distributed through the app store; it would probably just have to be locally downloaded onto certain clients' devices
Lastly, I saw this post come up before creating this one: Does REST API for mobile apps hosted on https protocol web app will be slow? and I noticed that the asker of this question said "Lets say I have built a mobile app running on Android and iOS platform and REST API's for these apps lie under https based web application." This possibly sounds like something that could be helpful, and if anyone could explain what s/he meant by REST API's and what they are, I would be very grateful.
Any advice on how to proceed from here, using anything, would be much appreciated. Thanks!
Is it possible to use the AWS mobile services (Cognito, Analytics, etc) without linking all the SDK in an Xcode project?
Background:
* While I am not new to AWS nor mobile programming, the following case is challenging:
We are shipping a mobile "framework" (not app) that uses our AWS for some parts (Authentication, logs).
And, as the AWS SDK has to be linked in the app project itself, this will require us asking all the clients (developers) to download and link it in their own projects.
What is used in the framework is just one request for authentication and one for logging (success/failure, disconnection), so no need for all the SDK.
I wonder if there is a possibility to request AWS services without linking against the SDK?
I know it's possible to put then under an umbrella SDK, or do some cherry picking from their git repository, but both of these seem like overkill.
As the request itself is a simple URL with Get/Post, is there a possibility (or tutorial) on constructing the request manually via NSURLConnexion/NSURLSession, etc?
Thank you
Talking to the AWS APIs is actually not that hard. The main difficulty is signing your http requests, and that's not nearly as bad as it sounds. Which leaves xml parsing accounting for most of the unpleasantness.
I've done it in go. The most informative part is probably the signing tests.
Indeed, it is possible. You will have to code calls to AWS at the REST level. Everything you need is in the documentation of AWS.
For instance, if you needed to execute actions on EC2, here's what you'd have to code:
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html#structure-of-a-get-request
You can call the HTTP APIs directly. Since the AWS Mobile SDK for iOS and Android are open source, you can look at them directly. Find the AWS Mobile SDK for iOS Source on Github, and the AWS Mobile SDK for Android on Github. Since you mentioned you need authentication request on iOS I am guessing you're looking for the Cognito Identity in AWSCore source.