I have an app-server process that needs to check if the device making a request is an actual iOS device. I used to do this by taking advantage of push notifications. The user first authorizes push. Each time the user makes a specific type of request, I push a code to that device with which the app uses to make a second "authenticated" request to the app server. That additional channel of going through APNS would, in a sense, prove the authenticity of the requester's device. This makes it difficult for a person to spoof the request because they would not be able to receive the push notification with the needed code.
Recently though Apple started enforcing the rule that apps cannot require the user to accept push notifications in order to use the app, even though we do not use push notifications for alerts.
Is there any comparable way for my app server to check with Apple that a request is coming from my app on an actual iOS device? Or is this an unrealistic expectation to be able to determine this.
I could not find the article now, but some guys managed to register raspberry pi as a iOS device and receive push notifications via wifi... that I believe would be concrete proof that not even your first "2 way authentication" is really safe...
Now, directly answering, NO, there's no way for your app server to check if the request did come from a iOS device because all info in a TCP/UDP package is 100% "spoofable"...
Related
I'm trying to detect uninstalls of our iOS app.
I read this document which gives some useful information. However, how can I understand from the error codes returned whether the user uninstalled versus disabled push notifications/has no connectivity?
I think you'll want to use the Feedback Service. When a user deletes an app, the service provider should ideally stop sending notifications to that device. But Apple does not notify the service that "this device is not using your app, dont send notifications". Technically, a device which has uninstalled your app will not make it onto this list until the next time a push notification goes to the device. So you need to poll for this info using the Feedback Service.
Periodically, you will need to hit Apple Notification servers asking it to give you IDs that have deleted your app. Once you get them you mark them in your DB as deleted thereby not sending any more notifications. This Feedback Service will tell devices that have been unregistered (app uninstalled). The part I'm not sure about is whether a user who has turned off push notifications in settings will register the same. I believe they will not show up in the feed from the Feedback Service. I am certain, however, that users who are offline and the push notification is not delivered will not be included in the list.
It would be a simple test in your dev region to try the app, disable push notifications for the app, and then see if the device shows up in the feed.
Take a look at Apple's documentation
From Apple Documentation -
Apple Push Notification Service includes a feedback service that APNs
continually updates with a per-application list of devices for which
there were failed-delivery attempts. The devices are identified by
device tokens encoded in binary format. Providers should periodically
query the feedback service to get the list of device tokens for their
applications, each of which is identified by its topic. Then, after
verifying that the application hasn’t recently been re-registered on
the identified devices, a provider should stop sending notifications
to these devices.
Access to the feedback service takes place through a binary interface
similar to that used for sending push notifications. You access the
production feedback service via feedback.push.apple.com, port 2196;
you access the sandbox feedback service via
feedback.sandbox.push.apple.com, port 2196. As with the binary
interface for push notifications, you must use TLS (or SSL) to
establish a secured communications channel. The SSL certificate
required for these connections is the same one that is provisioned for
sending notifications. To establish a trusted provider identity, you
should present this certificate to APNs at connection time using
peer-to-peer authentication.
Make sure you also read up on - Issues with Feedback Service
I am doing MDM implementation in iOS and I have one server for its implementation.I have gone through the documents and understood the process that we have to undergo.But Simply I don’t understand how it will happen.I have one server and one device.I have my PEM file enrolled in the server.
As the process of MDM says server sends push notification through the device and the information that is present in the message in only the identifying token.Then device is connected to the server and sends an idle message confirming that device is ready for the commands.
My question is how device receives the push notification.If app is in back ground state and it gets a notification to connect to the server is there any method to detect it and send the feedback or is it happening automatically or we have to write some code for it. Also how does the plist (that we get in command) make changes in the settings (unlock to lock) .Do we save it somewhere in the device configuration?
I have got a lot of questions about the command format but did not get anything how the command works.May be I am missing basic iOS coding.please just explain me the above format.
how device receives the push notification.If app is in back ground state and it gets a notification to connect to the server
First of all, you will have to implement server side only for iOS MDM. Client side is implemented by Apple and MDM client is baked into iOS.
As part of OS it dosn't have restriction which usual iOS apps has. It has a persistent channel to APNS and as soon as somebody send a push notification to APNS, the device will receive it through this persistent channel and will start doing what it should be doing.
Also how does the plist (that we get in command) make changes in the settings (unlock to lock) >.Do we save it somewhere in the device configuration?
The answer is the same. You don't have to implement anything on the iOS side. It's all done by Apple- MDM client will get the command, parse it, save it to appropriate places and enforce appropriate policies.
Is there anything preventing SENDING a push notification FROM an iOS application? There are reasons for my madness. If so, are there any good examples out there? I have code that should be working and if there is no blocking reason, I will post the code.
I tried on Verizon and AT&T. Would want it over a carrier for now.
Please do not comment on why, etc.
[addition]
This would not be for a public app, testing internal only.
I don't see any reason what this wouldn't work. You'll have to include the push certificate with your application, and your users will have to download a new version of your app every time the certificate expires (which means once a year). You'll also need to send to each device all the device tokens of devices it should send notifications to.
The sending code should be the same as it would be in a server that sends push notifications, but you would have to implement it in objective C.
All in all it doesn't seem like a good idea, since you'll need a server anyway (for each device to get the device tokens of other devices), so it makes more sense that the server will do the sending.
Actually yes - there are a few things that prevent you from sending push notification from iOS.
Even if you manage to install (use in your app) certificates needed to properly connect to Apple's APNS server their policy is to start blocking clients that create many short connections.
So for public app you would need to use a "normal" way of setting up your PHP server that manages communication with APNS. Otherwise many public IP's (devices) using your credentials would lead to blocking your app APNS certificate.
If this would be just for private use then there is no reason not to give it a try.
I want to create an iOS chatting app using APNS. If I have 10,000 active and they are continuing chatting, will apple block my developer account ? Is there any limitation regarding this?
I would discourage you from using APNS as a backbone of an "chatting app".
If you need fast chatting functionality you should write your own TCP-socket based server.
If every-few-second syncing is o.k. you can get away with a HTTP-based server backend (but all the pull-syncing can be hard on network traffic - so TCP-socket is still better choice).
You could however use APNS for fallback - when your app on certain device is not responding (i.e. is not connected to server) you can send an initial message trough APNS (to wake up your app & to notify the user there is a message waiting for him).
As soon as the user opens your app you should switch back to your TCP-socket or HTTP request based server communication.
As for your question: no, Apple would most probably (one can never know for sure) not reject your app just because of using APNS for chatting. But note (as the others said allready): messages between two users will get "lost" if they would interact too frequently - see the link Roman Barzyczak gave you.
"If you are sending multiple notifications to the same device or computer within a short period of time, the push service will send only the last one."
more information: http://developer.apple.com/library/ios/#technotes/tn2265/_index.html
but Apple wont block your developer account :)
You can use them for messaging but you are going to quickly find out that there is no guarantee they will arrive. This is known as the black hole of push notifications. ;-)
I like this answer here.
First try to use an APNS only solution.
Make your push notifications stateless (they only serve as "Hey you have some new stuff in the server").
So when the client gets a push notification it asks the server for new data (messages or other stuff).
Use OneSignal to simplify the code that sends push notifications (from the back-end). If a user in your app gets a message after 10 seconds he dose not care if you used TCP,socket.io or xmpp...
Even Whatsapp's messages can take couple of seconds to arrive.
A chat app is not a realtime game. A delay of couple of seconds will be acceptable by end users.
I've checked through other questions and responses here at StackOverflow but couldn't see something exactly like this; I would like to be able to push a token via APNS. The purpose of this is to verify that a subsequent user request to a restful web service comes from an iPhone device and not from a non-iPhone source (it's trivial to change HTTP headers to fake looking like an iPhone request).
Couple of questions:
Is it permissible under Apple Guidelines to insist that push notifications be enabled ?
Is it possible to send a SILENT push notification carrying some small text payload?
Does anyone know if this would pass Apple's scrutiny or run afoul of their guidelines
Many thanks.
You cannot force user to accept push. A user always has option to refuse.
Yes you can send a notification with no sound / text, and add metadata.
Yes, sending a token seems an acceptable use for Apple.
However, I do not personally think this use case does cleverly fit the push use case at all. You will have to many edge case to make it reliable enough (delivery delay and non garantee of delivery, etc)
It is easier to have other mechanisms in place (like secret + signature in the URL by the app).
I see that folks are still looking at this question. FYI, for enterprise dev which is the area I mostly work in, you simply register the iOS app as a VOIP app and it will accept silent notifications without a need for the user to approve.