I am trying to secure a iOS app by checking the installed SSL certificate exists or not. First I created a self-signed certificate with OpenSSL, and then install it to my iPhone. Right now I need to programmatically check this certificate is installed or not. If it exists, the app can run without limit, if not, use won't be able to use the app. So how to programmatically check this device is installed or not in my app code?
Why do we need to install SSL certificate on our iOS devices?
Users can install digital identities (certificates plus their
associated private keys) onto their iOS devices by downloading them
from within Safari, by opening them as email attachments, and by
installing them with configuration profiles. Or, identities can be
pushed from a Mobile Device Management (MDM) server. However,
identities installed in any of these ways are added to the Apple
keychain access group.
Refer below links for more info.
https://forums.developer.apple.com/thread/52345
https://developer.apple.com/library/archive/qa/qa1745/_index.html
Related
I'm using the NEVPNManager to create a personal VPN for my iOS app which is working. Now I'm trying to install a root CA certificate that can be used by all apps. I understand the user will need to trust this certificate under General -> About - Certificate Trust Settings. I'm trying to automate as much of this process as possible. The two ways I've found to attempt to do this are either:
1) Open Safari with a URL to the root certificate hosted on a website and iOS will prompt the user to install the certificate as a profile.
2) Install the certificate pragmatically within the app.
Option #1 works, but after the user installs the certificate they are not take back to the app and still have to manually go in and trust the certificate in the Certificate Trust Settings.
With option #2 if SecItemAdd is used it is only added to the keychain for the sandbox for my app and not available to other apps. The only option I have seen to make if available to other apps it to increase it's trust level as shown here, but this seems to require an old open source library from Apple that I was not able to get to build.
So, what is the best option to accomplish installing the root certificate and prompting the user to make it trusted? If it is possible through #2, any ideas how I build and then incorporate that library into my app? If I'm left with #1, what is the best way to simplify the process for the user?
SecTrustSettingsSetTrustSettings and related symbols are private API and your app will be rejected by Apple on submission. Even if you manage to compile this open source, it will still export the private symbols, and your app will be rejected.
Instead, you should use the openURL: API and point to a .p12 file, either locally hosted (by using an in-app web server) or remote. The .p12 file should include the certificate chain.
This will open the Settings app and ask the user to install the certificate. Once the user installs, all applications on the device will trust it.
It appears that Apple has removed the ability to trust SSL certificates that are self-signed in iOS 10.
I created my own self-signed certificate and have a local web server that signed with my certificate. I must install my certificate in iOS for testing locally as I have developed an iOS application that needs to trust my certificate.
How can I install my self-signed certificate?
Good news, they haven't. If you just need this for development purposes, which it sounds like you do (and you shouldn't be using self-signed certificates in production anyway), you can install the self-signed certificate on your iOS devices manually. Following the equivalent FAQ for my iOS Web Bluetooth browser app:
Create your self-signed certificate and key files using openssl or however. Be sure it has the correct /CN “Common Name” for your local server, e.g. mycomputer.local.
Configure your webserver to use it (obviously) and check that it is working using a different client, such as a browser on a Mac.
Email your certificate to an email address you can access on your iOS device.
Tap on the attachment in Mail on your iOS device, this should now prompt you to install it. Do so.
You should now verify that it is installed by going to the Settings app then General -> Profile -> <Common Name>. The Profile menu probably won’t be there at all until you’ve installed the first certificate. The certificate should be marked Verified (it was verified by you when you installed it).
You might, like I did, have thought this would be enough. It isn’t. You now, really counter-intuitively, need to go to the setting General -> About -> Certificate Trust Settings and enable full trust for your certificate there as well. It’s such a weird place for that setting to be.
The installation of own root certificates changed at some point (maybe somebody can confirm, if it was at iOS 11).
What you need to do is with your Mac, get Apple Configurator 2 and create a profile containing your certificate. The resulting mobile profile file can be installed from Safari or email.
I have built an iPhone application in Xcode and have generated all of the required certificates and provisioning profiles on Apple's developer website. I have installed the certificates on my computer and the test phone I am using has my OTA distribution profile installed on it.
I have built and exported the application using my distribution profile and certificates and put the xml/plist and ipa files on an SSL secured web server and whenever I try to download the app, it asks if I want to install it and then the installation immediately fails and it tells me the app could not be downloaded. However, I have uploaded the ipa file to Diawi.com and using their website I can install the same app on the phone without any issues.
I do not want to have to rely on a 3rd party service for hosting my application.
Things to check:
Make sure your devices UDID is part of the AdHoc provisioning profile you are using
Make sure you are signing the archive with this profile
Make sure the manifest is correct, all URLs (especially any references to images)
Make sure your web-server is setup to recognize .ipa and .plist as the proper MIME types (this has got me a couple of times)
I want to be able to install a client certificate (via email, for example) and then use that certificate to authenticate requests sent by my app. I have the feeling that Apple won't allow that kind of access, but can't find any definite answer. Is that true, or is there a way to access client certificates installed on the device from within an app?
Edit: To clarify, this is a native app, not a webapp.
Your app can use only what you store in its own keychain (or keychains of other 3rd party apps that share the same provisioning certificate).
As for the actual loading we do use openssl (we did write a obj-c wrapper around it) to decode the .p12 that we send to the app.
The certificates loaded in seting->general->profiles are protected in some way only built-in apps (mail, safari) can add stuff there.
To use client certificates in your app you have to implement import of certificate within your app to your app keychain. (note you need to use PKCS#12 certificate format, but you need to register it in your app (search for exported UTIs and Document types) with different extension, other than ".p12", which is already registered by the iOS. I've used .x-p12 in my app)
See here: iOS Client Certificates and Mobile Device Management
and here: https://developer.apple.com/library/ios/qa/qa1745/_index.html
I have enrolled in the iOS developer's program. I've developed an app which I would like to test on an iPad device. For security reasons, I cannot have a direct internet connection on the Mac I am developing in.
I understand I can generate the certificate signing request and transfer it to another computer (this computer can have an internet connection), then upload it to the apple website. This is where the tricky part comes: the developer certificate will be pending, until I download the WWDR intermediate certificate and install it on the Mac without internet. Then after I refresh the page nothing happens, of course, because the Mac in which I registered the WWDR has no way of communicating with apple.
Is there another way of obtaining this certificate, or is there a method I could use, other than connecting the Mac to the internet?
To overcome this problem, you need to share certificates for multiple device. You can easily export certificates from /Applications/Utilities/Keychain Access in .p12 format & install that to other computer & after that you can sync all provisional, Adhoc & App Store profiles.
You can follow this tutorial and these link for step by step process.