I want to create secure communication channel between my RPI and iOS 11 mobile application in local environment. My RPI is running a python API code and my iOS mobile app creates different API calls to the RPI. For secure connection I’m using certificates signed by my private Certificate Authority. All certificates and signing requests were created using “OpenSSL” Linux command line tool.
As I mentioned earlier, devices are communicating in local network over default .local domain which is configured by avahi service on linux device, and bonjour (zeroconf) service on iOS device. In the beginning I had some issues with loading certificates in mobile app and after I’ve done some research I’ve found that I must have “NSAllowsLocalNetworking” flag enabled inside xCode IDE. With the “NS” flag enabled SSL certificate pinning was successful and secure communication was established.
What I don’t know and I would like to find out are two things:
Is there any restriction from Apple side with publishing application to the app store when the “NSAllowsLocalNetworking” flag was enabled?
Besides using certificates, what other options do I have in terms of secure communication between iOS mobile app and RPI?
You are using the correct approach. Using a self signed certificate with certificate pinning is the right approach will allow you to trust the connection, as long as you have protected the key used to generate the cert.
In fact, it is recommended by Apple:
Note: Although ATS is unenforced for connection to local hosts, Apple strongly recommends using Transport Layer Security (TLS) for any
local connection, along with the use of a self-signed certificate to
validate the local IP address.
Apple created the NSAllowsLocalNetworking specifically for scenarios such as this. As of current Apple documentation, use of this flag will not trigger the need to provide Apple with justification for disabling ATS. One additional thing to note is that this flag is only supported on iOS10 and later.
If you need to support older versions, Apple offers a way to do this to support older versions. Basically, you set both the NSAllowsArbitraryLoads flag to true, as well as the NSAllowsLocalNetworking flag. Basically, iOS9 only understand, so iOS 9 devices disable ATS altogether. iOS 10+ understands, both NSAllowsArbitraryLoads and NSAllowsLocalNetworking, so it has logic built in to let NSAllowsLocalNetworking override NSAllowsArbitraryLoads, and leaves ATS protections on for the rest of the app, while allowing local network connections to go through. Apple covers that on their documentation page under the header "Supporting Older Operating Systems".
Related
We are developing an app with Per-App VPN runs on iOS. This container app is designed for our some specific apps to connect network through VPN at certain times, while all the other apps not.
We want these specific apps connect network normally before VPN is turned on, after the container app and configuration profile are installed. And these specific apps connect network through VPN once VPN is manually turned on in the container app.
I have some questions can not find answers.
I've added NETestAppMapping key to Info.plist of my container app in Development. And Bundle Identifiers of those specific apps are added to NETestAppMapping. After building the container app and installing configuration profile by Apple Configurator 2, I found those specific apps can not connect to Internet until I turned on VPN in the container app. Is that normal?
NETestAppMapping is a way to config those specific apps in Development. I wonder the production mechanism for specifying app mappings.
Moreover, something really weird once happened. I deleted the configuration profile from iPhone, and NETestAppMapping from the container app. Then I turned on VPN in the container app by normal way. After done this, I found the function we want is implemented.
Thank you very much.
An app that is associated with a Per-App VPN, will only have its traffic routed through the Per-App VPN. If On-Demand is disabled, and the VPN is turned off, then no traffic will flow from the app.
As such, I see two ways to achieve having the apps route through the Per-App VPN only some of the time:
Implement the VPN using NEPacketTunnelProvider in such a way the VPN always launches On-Demand and continues to be 'active', but the VPN app can be used to toggle whether the NEPacketTunnelProvider actually routes the traffic through the VPN or whether it simply acts as a TCP/UDP forwarder.
Utilise an MDM and its SDK (assuming support) to associate and disassociate your applications from the Per-App VPN when a toggle is switched in the VPN app. Note that this will likely be clunky, with a time delay and may cause your app to be killed if it is running. I won't recommend this approach.
It's worth noting that NETestAppMapping only works for development builds and won't work for distribution builds (e.g. Enterprise (In-House) or App Store). You will need to use an MDM to utilise a Per-App VPN.
For an example of using an NEPacketTunnelProvider with packet forwarding, I would take a look at this paper: Does your phone spy on you? by Severin Amrein.
In my project, I need to install application to iOS devices using a desktop EXE. I use libimobiledevice command to install the application and it works fine. As I use enterprise developer profile, I know I need to trust profile from Settings. To trust a profile it needs internet connection as per Apple.
iOS9 Untrusted Enterprise Developer with no option to trust
But on my case, there will not be any internet connection in device, but we have internet connection in Desktop PC where the EXE runs. Is there any option to launch Enterprise IPA file without having internet connection.
I learn MDM Apple Enterprise distribution but not sure whether it will survive my purpose.
Is there any possible way to launch the enterprise IPA without having internet connection in iOS device.
You need to be able to verify the Enterprise Certificate in the app with Apple, as they are the ones giving you a licence to install apps outside the appstores.
That's just the way these Enterprise ID's work.
if the desktop PC's have iTunes, you could try dropping the ipa in there and see if this antique program can help you out.
This would definitely require some hacking. One approach may be to edit the hosts file of the computer when installing using the executable, launching your own server to listen to the port specified in the hosts file, and replicate the response given by server in a real life scenario. (you can probably use charles or fiddler to trace the response which is suppose to be given by the server.
Basically, the verification of the cert would be done by the local server you are running.
This, of course, is quite complex as a task... good luck!
I asked a question recently about whether I can have parental control over iOS devices.
Link of the question is below :-
Is it possible to write a parental control app for iOS?
A senior developer answered and said this is not possible to do without jailbreak.
But i found an app named "OurPact" and by using that i can control any other device. How they can have parental control if this not possible in iOS?
OurPact use the Mobile Device Management (MDM) protocol, which provides a way to tell a device to execute certain management commands remotely. The way it works is straightforward.
During installation:
The user or administrator tells the device to install an MDM payload.
The device connects to the check-in server. The device presents its identity certificate for authentication, along with its UDID and push notification topic.
If the server accepts the device, the device provides its push notification device token to the server. The server should use this token to send push messages to the device. This check-in message also contains a PushMagic string. The server must remember this string and include it in any push messages it sends to the device.
During normal operation:
The server (at some point in the future) sends out a push notification to the device.
The device polls the server for a command in response to the push notification.
The device performs the command.
The device contacts the server to report the result of the last command and to request the next command
Access Rights
Allow inspection of installed configuration profiles.
Allow installation and removal of configuration profiles.
Allow device lock and passcode removal.
Allow device erase.
Allow query of Device Information (device capacity, serial number).
Allow query of Network Information (phone/SIM numbers, MAC addresses).
Allow inspection of installed provisioning profiles.
Allow installation and removal of provisioning profiles.
Allow inspection of installed applications.
Allow restriction-related queries.
Allow security-related queries.
Allow manipulation of settings. Availability: Available in iOS 5.0 and later.
Allow app management. Availability: Available in iOS 5.0 and later.
About Mobile Device Management
The Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed iOS devices running iOS 4 and later, macOS devices running macOS v10.7 and later, and Apple TV devices running iOS 7 (Apple TV software 6.0) and later. Through the MDM service, an IT administrator can inspect, install, or remove profiles; remove passcodes; and begin secure erase on a managed device.
The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications. The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server.
MDM uses the Apple Push Notification Service (APNS) to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
To provide MDM service, your IT department needs to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to your managed devices.
A managed device uses an identity to authenticate itself to the MDM server over TLS (SSL). This identity can be included in the profile as a Certificate payload or it can be generated by enrolling the device with SCEP.
Ref -
Here the complete guide about How to Create a Verified iOS Mobile Device Management (MDM) profile/certificate.
Official Apple Document about MDM
I have found following network requirements for OTA deployment:
https://help.apple.com/deployment/ios/#/apda0e3426d7
Network configuration requirements
If the devices are connected to a closed internal network, you should let iOS devices access the following:
ax.init.itunes.apple.com: The device obtains the current file-size limit for downloading apps over the cellular network. If this website isn’t reachable, installation may fail.
ocsp.apple.com: The device contacts this website to check the status of the distribution certificate used to sign the provisioning profile.
I want to ask is it possible to deploy through intranet without access above website? Any work around?
Thanks.
We have OTA setup in our intranet. Works fine. Only requirement is that the device installing the app should be connected to the VPN or in the intranet.
I'm researching about MDM in iOS, and find out information about Apple’s native iOS mobile device management. Once the device is enrolled into a MDM server, server can manage the device by sending commands. I tested on a MDM server and saw that without installing MDM agent app on device, server can still send profiles and apply policies to the device.
Could anyone help me to address:
Is Apple’s native iOS mobile device management built inside the iOS itself?
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
Do I need an enterprise account to use iOS MDM service?
Where can I find documents about MDM API and how to use it?
Is Apple’s native iOS mobile device management built inside the iOS itself?
Yes - as of iOS4 devices become MDM-capable.
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
Yes. The only thing an MDM Agent app will get you is the ability to report back on the device's IP address / network information, custom logging, etc. By default iOS does not allow for "tracking" a user's network details.
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
This is what I refer to as "the circle of hell". Your MDM sends command/installation packets to the APNs server, the APNs server tells the device it has a pending command from the MDM, the device reaches out to the MDM for its instructions and acknowledges. My nickname is for the trouble it takes to get firewall permissions setup in large enterprises.
Do I need an enterprise account to use iOS MDM
service? Where can I find documents about MDM API and how to use it?
To use an MDM service you do not need an Enterprise account. To create an MDM service and access its documentation you do need an Enterprise account at $299/year.
Yes.
N/A as the 'agent' is already built in iOS
To manage a device by MDM, the device must be enrolled manually first. During the enrollment process, a configuration file will be installed in the device containing the information of the MDM server. The MDM framework also make use of push notification to communicate with the device.
Yes. In addition, you also need the ability to generate MDM Vendor Certificate on Apple's Developer Portal.
Is Apple’s native iOS mobile device management built inside the iOS
itself?
Yes , Apple has secured mdm-client bundled in each Apple product . We can make use of the client upon enrolling . There is supervised enrollment where mdm-client can perform more privileged task .
Can MDM server manage device (install apps, disable camera, iTunes...)
without installing a MDM agent app?
Yes , Once device is enrolled you can apply restrictions on iOS and macOS , install apps silently using VPP etc . Refer Configuration-Profile-Reference.pdf Page 67 for list of all restrictions
How can the device itself can communicate with MDM server and install
profiles sent from server automatically?
Like iOS apps , mdm-client responds to notifications through APNS . The server in which device is enrolled will have push-magic string,device token and a topic device listens to these helps the server to notify device . Device will then ping the server. I have attached Official MDM guide that you can refer for more details.
Do I need an enterprise account to use iOS MDM service?
Here you have two options , if you want to build your own MDM solution then like i said before you would need to notify device so that it contacts your MDM server upon enrollment . Similar to building iOS app , you need an developer account to create a APNS certificate (refer here) to notify default mdm-client.
Or you you just wish to manage your device , you need not require a developer certificate. MDM vendors would use their certificate for signing, and you would need an apple id account to use upload certificate provided by your MDM to notify devices.
Where can I find documents about MDM API and how to use it?
Refer below links to getting started with MDM . Comment your queries for any help.
1. Setting up MDM and MDM Protocol
2. Restrictions and other MDM profiles
3. Apple business manager