Dark mode support was added to version 2.20.31 (released in March of 2020) of the WhatsApp client. This is an iOS 13-only feature, and from the look & feel it appears to be a fully native implementation. I think it is safe to assume that the app is now being compiled with iOS SDK 13.0 or above.
The thing is, as of iOS 13, Apple now requires the native call screen to be shown whenever a VoIP notification is received - otherwise, the app will not receive any further VoIP notifications. In previous version of iOS, some apps (including WhatsApp) appear to use "fake" incoming VoIP calls to silently wake up the app in background when the user attempted to use the web client, so that the latter could then connect and exchange data directly with the phone.
However, as of the latest version, the web client still appears to work as it did before despite the restriction introduced by Apple. Using a debugger it is possible to observe the iOS app waking up whenever the user opens the web client on a PC, but no call screens are ever shown. This can be done repeatedly and as often as we want.
The logs from WhatsApp seems to confirm what is written above:
default 17:09:44.515731+0000 callservicesd Call source <CXXPCCallSource 0x111ecb0a0 identifier=UKFA9XBX6K.net.whatsapp.WhatsApp isConnected=1 processIdentifier=417 isPermittedToUsePublicAPI=1 isPermittedToUsePrivateAPI=0> registered with configuration <CXProviderConfiguration 0x111e9bb40 localizedName=WhatsApp ringtoneSoundURL=(null) iconTemplateImageData=0x0 maximumCallGroups=1 maximumCallsPerCallGroup=1 supportsAudioOnly=1 supportsVideo=1 supportsEmergency=0 supportsVoicemail=0 supportsCurrentPlatform=1 includesCallsInRecents=1 audioSessionID=1151157 supportedHandleTypes=2>
If we try to do this with our app, the results are quite different:
error 18:56:19.949023+0000 callservicesd Killing VoIP app com.xxxxx.xxxxx.xxxxx because it failed to post an incoming call in time.
Any idea what's going on here? Is WhatsApp using any sort of undocumented workaround or exploiting some sort of private API?
This is WhatsApp latest entitlements file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.icloud-container-identifiers</key>
<array>
<string>57T9237FN3.net.whatsapp.WhatsApp</string>
</array>
<key>com.apple.developer.pushkit.unrestricted-voip</key>
<true/>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>57T9237FN3.net.whatsapp.WhatsApp</string>
</array>
<key>application-identifier</key>
<string>UKFA9XBX6K.net.whatsapp.WhatsApp</string>
<key>com.apple.developer.carplay-messaging</key>
<true/>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.icloud-container-environment</key>
<string>Production</string>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:api.whatsapp.com</string>
<string>applinks:v.whatsapp.com</string>
<string>applinks:chat.whatsapp.com</string>
<string>applinks:wa.me</string>
</array>
<key>com.apple.developer.siri</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>57T9237FN3</string>
<key>com.apple.developer.icloud-services</key>
<array>
<string>CloudDocuments</string>
<string>CloudKit</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.net.whatsapp.WhatsApp.shared</string>
<string>group.com.facebook.family</string>
<string>group.net.whatsapp.WhatsApp.private</string>
<string>group.net.whatsapp.WhatsAppSMB.shared</string>
<string>group.net.whatsapp.family</string>
</array>
</dict>
</plist>
This specific entitlement seems to be the reason that they are allowed to not report an incoming call:
com.apple.developer.pushkit.unrestricted-voip
I can't find any documentation regarding this entitlement, so I'm pretty sure they have been given a special permission by Apple.
I've asked eurodev support about this and just received:
At this point we don’t have any additional information about the unrestricted entitlement that you are asking about. The only information that’s available is linked here.
https://developer.apple.com/documentation/bundleresources/entitlements
Pushing back to them to get more info.
Thanks.
I'm trying to use Testflight to upload an IPA to my app testers, but it's failing with the following error:
Invalid IPA: The keychain-access-group in in the embedded.mobileprovision and your binary don't match.
I'm confused, because I think my settings are pretty standard and I have another app that I can build and distribute just fine (note: with a second developer account but in the same instance of Xcode).
Here are my settings:
My app id that I created in the Provisioning Portal is com.bubblefoundry.Clear. Naturally it's then prefixed with the numeric identifier Apple assigns.
I created an ad-hoc distribution provisioning profile with the app id and the desired devices. I downloaded it into Xcode.
The product name is Clear in Xcode.
The bundle name under the target's 'Summary' tab is com.bubblefoundry.Clear, where Clear is in light grey and filled-in automatically by Xcode. While I can add text before or after Clear, I can't delete it. The name under the 'Info' tab is com.bubblefoundry.${PRODUCT_NAME:rfc1034identifier}.
In the code signing build settings for both the project and the target, both Debug and Release are set to the iPhone Developer under the Automatic Profile Selector. I thought I might need to set Release to my distribution profile, but I didn't do this in the other, working project.
I can Archive my app just fine. Then in the organizer I can tell it to distribute it for ad-hoc development and then choose to re-sign it with the distribution provisioning profile I created earlier. No errors are reported. Likewise I can connect my iPhone and Run the app on the phone without problems. It only when I try to upload the IPA using Testflight.app that I'm told that the file is invalid.
Because it mentions embedded.mobileprovision, I figured I'd poke into the IPA and examine the file. Here's the relevant data (minus unique info):
<plist version="1.0">
<dict>
<key>AppIDName</key>
<string>Project Clear</string>
<key>ApplicationIdentifierPrefix</key>
<array>
<string>app-id</string>
</array>
<key>CreationDate</key>
<date>2013-01-11T17:44:51Z</date>
<key>DeveloperCertificates</key>
<array>
<data>
my-certificate
</data>
</array>
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>app-id.com.bubblefoundry.Clear</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>app-id.*</string>
</array>
</dict>
<key>ExpirationDate</key>
<date>2013-10-07T17:44:51Z</date>
<key>Name</key>
<string>Project Clear Testers</string>
<key>ProvisionedDevices</key>
<array>
<string>device1</string>
<string>device2</string>
<string>device3</string>
<string>device4</string>
<string>device5</string>
</array>
<key>TeamIdentifier</key>
<array>
<string>app-id</string>
</array>
<key>TeamName</key>
<string>Bubble Foundry</string>
<key>TimeToLive</key>
<integer>269</integer>
<key>UUID</key>
<string>uuid</string>
<key>Version</key>
<integer>1</integer>
</dict>
</plist>
Looking at this, just about everything looks consistent with what I've set earlier. The only thought is that the AppIDName is Project Clear, not Clear. Is this the source of the problem? Or maybe keychain-access-groups should be app-id.com.bubblefoundry.Clear, not app-id.*?
In this case your app id should be com.bubblefoundry.Clear.
If you created your provisioning profile like:
com.bubblefoundry.*
You can use this provisioning profile with various Id's like.
com.bubblefoundry.Clear
com.bubblefoundry.my
com.bubblefoundry.Clear.newApp
com.bubblefoundry.testApp
com.bubblefoundry.yoyo
You can change the app Id in indo.plist
replace com.bubblefoundry.${PRODUCT_NAME:rfc1034identifier}. with required Id like: com.bubblefoundry.myTestApp.
I created an iOS app and want to distribute it Over-The-Air. I followed this guide:
http://help.apple.com/iosdeployment-apps/mac/1.1/?lang=en-us#app43ad77ea
The App is signed with the enterprise certificate and contains the distribution provisioning profile.
When I try to download the App onto the ipad (using the technique described in this guide), a square icon with my download icon appears on the screen with the name "Waiting...", then a second later the name changes to my actual application name and then again a second later i receive the error message:
Unable to Download Application
"Your Application" could not be downloaded at this time.
in the guide, there are three troubleshooting tips:
if wireless app distribution fails with an “unable to download”
message, check the following:
Make sure the app is signed correctly. Test it by installing it on a
device using iPhone Configuration Utility or Apple Configurator, and
see if any errors occur.
Make sure the link to the manifest file is correct and the manifest
file is accessible to web users.
Make sure the URL to the .ipa file (in the manifest file) is correct
and the .ipa file is accessible to web users.
I checked all three things and they are fine.
What else could cause my download problems?
As alexey mentioned, too many reasons can cause that message. Apple use it as a "catch all errors".
You can diagnose it through the Console. Connect the device to your desktop and access it either from XCode's Organizer (mac only) or iPhone Configuration Utility (mac and windows). But...
It just ain't that simple! :-(
Console may be far from enough. Sometimes there is no relevant message there.
Then, the last resort is following a checklist. Doing all over from zero again. There are many out there... But following there's my generic and non-detailed checklist for Over The Air distribution, at the moment.
Have a Distribution build - This is the most complicated part, done always on the web, and Apple changes the steps all the time. In general, you need a certificate, an identifier and the provisioning profile. Listing devices is almost always required. My current choice is "Distribution -> In House".
P.S.: If you do want to list the devices, make sure the UDIDs are correct. Many issues reported here.
Set the profile under Project -> Build Settings - Since XCode 5, things changed. Instead of code signing with an identity you can clear all that up and set it under *Code Signing -> *Provisioning Profile. The Identity should automatically change to "Automatic". There's also no more need to manually download files from step 1 and install them. XCode manages that now.
Archive - In Xcode 5, there's no need any more to "Build for Archive". Just archive it. It should show up next on Organizer, and it will take some time if it's a big project. Many errors can come up on this step, but they're almost always related to code compilation and not to OTA.
Deploy - Now in Organizer -> Archives, select the proper archive (should be already selected as the most recent one) click on "Distribute", then Save for Enterprise or Ad Hoc Deployment. May be big wait now. When saving the file, there is an option to "Save for Enterprise Distribution". That is a completely misleading name. What it really does is create the plist file. If you have one already, it's fine. You can even manually edit it, which is generally better. The plist be needed for step (5). Here's a good one:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>http://example.com/app.ipa</string>
</dict>
<dict>
<key>kind</key>
<string>full-size-image</string>
<key>needs-shine</key>
<false/>
<key>url</key>
<string>http://example.com/FullSizeImage.png</string>
</dict>
<dict>
<key>kind</key>
<string>display-image</string>
<key>needs-shine</key>
<false/>
<key>url</key>
<string>http://example.com/Icon.png</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.example.app</string>
<key>kind</key>
<string>software</string>
<key>subtitle</key>
<string>for iOS</string>
<key>title</key>
<string>My App</string>
</dict>
</dict>
</array>
</dict>
</plist>
Distribute - Skip this step if you want to install it using XCode or iPhone Configuration Utility. You're done. This is putting on the file on a web site. "Simply" add a HTML page with a href link such as this:
itms-services://?action=download-manifest&url=http://example.com/app.plist
Unfortunately dealing with web servers is never simple. So also check the server mime-type! I've made a couple PHP files to deal with them, if your server supports php. Just keep your files as they are (the plist, html and ipa) and link to app.plist.php instead:
app.plist.php
$file = fopen("app.plist", "r");
while(!feof($file)){
$line = fgets($file);
print str_replace(".ipa", ".ipa.php", $line);
}
fclose($file);
?>
app.ipa.php
<?php
header('Content-type: application/octet-stream');
$file = fopen("app.ipa", "r");
while(!feof($file)){
$line = fgets($file);
print $line;
}
fclose($file);
?>
Verify - Ensure that all files listed in the assets array are available to download. If any of these files return 404 or such (including the icons) the entire install will fail. You must either (A) make those files available or (B) delete those missing entries from the plist. The icon entries are not required for the download to work.
Here is an example plist with no icons:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>http://example.com/app.ipa</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.example.app</string>
<key>kind</key>
<string>software</string>
<key>subtitle</key>
<string>for iOS</string>
<key>title</key>
<string>My App</string>
</dict>
</dict>
</array>
</dict>
</plist>
The file examples are a very important part of the checklist. They have to be 100% correct.
Double check the plist and html files!
P.S.: I'm writing this answer because, in my case, it was a "simple" matter of wrong link on the .plist file. And, as such, it's hard as hell to diagnose. Well, only doing this checklist could I find the error! It was pointing to "another-app.ipa" rather than "app.ipa"!
There are a plenty of reasons to cause this message.
The best way to diagnose it is to connect a device to Mac and look Console for the device in Organizer.
In my case, for example, it was:
verify_bundle_metadata: This app was not build to support this device family
Answering my own question:
The problem was that one of the thumbnails did not have the correct path set in the manifest.plist - so not only the ipa needs the correct path, but also the temporary download icons, otherwise the installation will fail with the mentioned error message.
Another Issue that it could be is that both the .plist AND the .ipa need to be hosted with HTTPS and not just regular HTTP. The software package string should look like below:
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://example.com/app.ipa</string>
Stupid little oversight but it was tripping me up for awhile.
We did experience the very same error message when trying to install an iOS 5+ app to an iOS4.3.5 phone.
Did you also check deployment/build targets and target architecture to match the device(s) showing that issue?
Make sure the casing is matching in all the files. They tend to be case insensitive.
In my case the issue was on my device an older version of same app was installed with same bundle identifier (downloaded from applstore) so now when I was trying to download its new version via enterprise distribution it was doing nothing, no error at all. Delete existing version from the device solved my issue.
I found in console.
installcoordinationd(MobileInstallation)[99] :
****bundleID****:5:11:1:1:Updating PlaceholderMetadata for
****bundleID**** with failure 1 _LSInstallType 1, underlyingError
(Error Domain=MIInstallerErrorDomain Code=13 "Failed to verify code
signature of
/private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.IoCSM9/extracted/Payload/App.app
: 0xe8008016 (The executable was signed with invalid entitlements.)"
UserInfo={LibMISErrorNumber=-402620394,
LegacyErrorString=ApplicationVerificationFailed, SourceFileLine=147,
FunctionName=+[MICodeSigningVerifier
_validateSignatureAndCopyInfoForURL:withOptions:error:], NSLocalizedDescription=Failed to verify code signature of
/private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.IoCSM9/extracted/Payload/App.app
: 0xe8008016 (The executable was signed with invalid entitlements.)}),
source 17>
Here we should look at:
Failed to verify code signature of App.app
The executable was signed with invalid entitlements.
In my case it was because i downloaded enterprise build from amazon. But the provisioning profile, which it was builded with, was expired (figured out in developer console).
Another one with the other purpose:
"This app could not be installed at this time."
UserInfo={NSLocalizedDescription=This app could not be installed at
this time., NSUnderlyingError=0x100cbd3c0 {Error
Domain=MIInstallerErrorDomain Code=64 "Upgrade's
application-identifier entitlement string (BBBUUUU.com.bundle.www)
does not match installed application's application-identifier string
(CCCEEEE.com.bundle.www); rejecting upgrade."
UserInfo={LegacyErrorString=MismatchedApplicationIdentifierEntitlement,
FunctionName=-[MIInstallableBundle
_validateApplicationIdentifierForNewBundleSigningInfo:error:], SourceFileLine=878, NSLocalizedDescription=Upgrade's
application-identifier entitlement string (BBBUUUU.com.bundle.www)
does not match installed application's application-identifier string
(CCCEEEE.com.bundle.www); rejected
Here i just removed the previous version of the app. The error was, because i changed the team for the bundle ID and it was installed the app with previous bundle ID.
Open console with:
Xcode > Window > Devices
Select the device
Expand a console with with a box with an arrow inside of it in the bottom left corner.
Try checking bundle identifier in your XCode and .plist file
In my case I did following to get rid off "cannot connect to dl.dropboxusercontent" message after providing ipa shared link.
1. Removed md5 section from plist
2. Uploaded 512*512 and 57*57 images to drop box, and provided shared link in fill_size_image and display_image in plist.
The first thing to check here is that the device you are installing on has the correct OS for the app your are installing. For instance, if the app is built for iOS 11, and your device has iOS 10 on it, then the app will install but you will see this error "Unable to Download Application".
In my case, there was a problem with incorrect file permissions of the FTP folder and the files inside (manifest, ipa, images). Check that they have 775 (rwx) and that Owner/Group is your owner.
The error in the device console was like "Cannot connect to iTunes Store" or "Failed artwork for bundleID" or "Failed to load placeholder artwork for bundleID". But it's just about the files.
I need to create an iOS .xarchive file using a developer profile, that a client can resign using their distribution profile(s).
(I have read this but it didn't have any real solutions: How can I send iOS app to client, for them to code-sign)
The client doesn't want to share their private keys, nor give me access above 'Developer' in the member center. And we don't want to share our source code.
We need to support push notifications, so this means we need a fully qualified app id.
I cannot figure out a way that allows me to build and export an .xarchive signed with 'aps production', 'get-task-allow' as false, BUT ALSO using the certificate that matches the clients distribution certificate.
This feels like a bug in Xcode, shouldn't the changes to 'aps production' and 'get-task-allow' be tied to the configuration, not the type of provisioning profile? I am using 'Release', but with my developer profile.
Am I missing something, or is this just not possible?
I figured out the answer to this question through trial and error. Even though tech notes and most web resources say you don't need an entitlements.plist if you are using XCode4+, there are certain cases where you do. Two cases are represented by my question above:
building Release configuration (i.e.: Archive), but signing with a Developer provisioning profile
using push notifications
My final custom entitlements.plist has 3 values:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>get-task-allow</key>
<false/>
<key>aps-environment</key>
<string>production</string>
<key>keychain-access-groups</key>
<array>
<string>L23874DF.com.your.appid</string>
</array>
</dict>
</plist>
Once I had that in my entitlements.plist, I built with the developer provisioning profile for this app id. Then I archived it, and exported the archive from the organizer. Once exported, I sent it to my client. The client was able to resign the archive with an ad hoc profile, and send me back an IPA file, which I loaded onto my device. I also successfully received a push notification from Urban Airship to this IPA!
I know that in general installation via HTTPS is working but somehow it doesn't in my Environment.
The itms-service link is HTTP as far as I understood:
itms-services://?action=download-manifest&url=http://' . $_SERVER['SERVER_NAME'] . $downloadLink
The links in the .plist are then HTTPS
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://app.ipa</string>
</dict>
<dict>
<key>kind</key>
<string>full-size-image</string>
<key>needs-shine</key>
<true/>
<key>url</key>
<string>https://image_512x512.png</string>
</dict>
<dict>
<key>kind</key>
<string>display-image</string>
<key>needs-shine</key>
<true/>
<key>url</key>
<string>https://image_57x57.png</string>
</dict>
</array>
But the app won't install. I always get the message "App could not be loaded"
All URL's are reachable with HTTP & HTTPS.
XCode shows the app log
unknown securityd[2331] : CFReadStream domain: 12 error: 8
What am I doing wrong here?
Thx
There's not a huge amount of information about how you've tried to solve this, so rather than actual answers I just have questions. If the answer to any of the questions is 'no' then should point you at the area your problem is in.
Is https://app.ipa the actual URL you're using in the .plist? If so I'd try with the full hostname & path in there.
Does the https site have a proper signed valid certificate that Safari on iOS accepts without any interaction with the user? If not try a proper certificate.
Do you see the .ipa file get downloaded from the server, if you check the server log file?
Have you tried installing the .ipa file using iTunes, does it get accepted?
The problem is that the Certificate Authority needs to be known by the iPad.
If you distribute Apps with HTTPS and the CA Server is your own, you need to install the certificate on the iPad. Otherwise iOS will try to download it.
You can install it sending it via email to your iPad or create a .pem File from the Keychain Access program and host it on your server for installation purposes. Then open it with Safari and iOS will ask you to accept it.
Then the installation works. But beware of using .htaccess as using HTTPS and HTTP together in the installation process seems to trigger the login/password for every request, which are 4 for images, .ipa and .plist, which is really annoying.
[EDIT]
Please keep in mind that you need to refer to the .plist file only with HTTPS since Apple introduced iOS 7.1.
See here: Enterprise app deployment doesn't work on iOS 7.1