MDM to secure app on private device - ios

My clients use my app in their private devices which are not under any MDM-control or under control of a foreign company. I want to make sure that my app can only be executed when some requirements are met like:
device is not jailbroken
device-password is set
At the end I want to make sure that no data is leaked, when the app is installed on private devices.
Is it necessary to install a client like mobile iron? If I can install a mdm-profile, this must only guarantee the required conditions for my app.
How do I archive this goal?

iOS MDM management will enable you to tell if a managed device has a passcode set; I don't think there is any other way (short of jail-breaking) to detect this.
Your own application can attempt to do jailbreak detection; Apple's MDM by itself cannot do jail-break detection.

Someone has already asked a similar question about detecting a jailbroken device: Determining if an iPhone is Jail broken Programatically. There are also some answers to a question about checking if a password is set but I don't think the code in the answers covers this for you. You might want to check it out though.
You need to be aware that fighting these device compromises is an ongoing battle. There may be a point where the code you have written is ineffective at determining a jailbroken device. This means that you cannot promise that your app will not run on jailbroken devices unless you are planning on tracking all of the techniques in the wild, and releasing new versions to keep up with the threat.

Related

Detect iBeacons without knowing UUID. Some apps are doing so

I looked into the answer for this question and in most of the answers, I found that it is not possible to detect the iBeacon without knowing the UUID of the device.
But some of the apps on App Store is doing the same. Here are the links for those apps, which are detecting unknown iBeacons.
https://itunes.apple.com/in/app/locate-beacon/id738709014?mt=8
https://itunes.apple.com/us/app/my-beacon-best-beacon-manager/id850255614?mt=8
Let me know if it is possible to detect the unknown iBeacon.
Thanks in advance.
I am the author of the Beacon Locate app you referenced in the question. I can assure you that it must know the ProximityUUIDs up front in order to detect beacons. The app is pre-configured with a dozen or so UUIDs (Estimote's default UUID is one of these) so you can detect those beacons without first manually entering the UUID. We do this to make it as easy as possible on the user. (Obviously that worked as you did not even notice we were doing it. Thanks for the compliment!)
You can see these pre-configured UUIDs by going to tge app Settings, which also allows you to enter more.
In the past there have been private APIs that allow you to detect any beacon on iOS. But there are three problems with these:
Apple forbids publishing apps in the AppStore that use private APIs
These private APIs are subject to change with any OS update, rendering them unworkable
The private APIs I know about to do this were all removed as of iOS 9

Prevent installation of iOS app in jail broken devices

I want to prevent installation of my iOS app in jail broken devices. Is there any checks that can be done during installation to identitfy if the device is jail broken ? Is there any way to stop the installation if the device is jail broken?
Generally, it break down to two questions:
1) Detection of a jailbreak device.
There are plenty of different methods. None of them is 100% guaranteed to work.
Look at this question:
How do I detect that an iOS app is running on a jailbroken phone?
2) Taking some actions on a jailbroken device
As #Paulw11 mentioned, you can't stop installation and you can't uninstall.
The common way is just exit from your application (don't provide any useful functionality to a user). However, if your application have very high value, this protection can be removed by somebody who will reverse engineer your application.
Generally speaking, there is no bulletproof protection, but you can make it good enough, so it won't be worthwhile breaking it.

Controlling iOS device

Is it possible from my app to run in background, turn on/off other apps, control the iOS device without jailbreaking it? I understand that this app will not pass Apple's review/approval, but I am not planning it, instead, I just need to distribute it to clearly defined list of devices. I just prefer not to require to jailbreak device.. Is it possible?
I believe its possible without actually jailbreaking the physical device. Check out the second answer to this question for some more information. iOS app without developer program or jailbreak

Can an iOS device be secure while being Jailbroken?

In researching how iOS devices (iPhone/iPad/iPodTouch) are protected via encrypted I came across many articles that mentioned if a device was "jailbroken" then the built in encryption of the iOS device was essential null and void. That by jailbreaking, the default encryption could be bypassed.
Assuming this is true is there anyway to enable the encryption features of an iOS device while maintaining a Jailbreak? There are a lot of tweaks I really make use of a lot (SBSettings) and I would hate to have to give them up in order to maintain security on iOS.
Jailbreaking removes the requirement for apps to be digitally signed. Anything will run now - so yeah you need to be careful what you load on there.
It's not an encryption issue thou.

How to make my app work only on iPhone 3G and higher

Is there a way to limit devices, i.e. iPhone 3G and higher, and not to support the iPhone 2G and lower. I can't find an element that is different. I would limit it to iOS 3.1, however I'm pretty sure that iPhone 2G and lower can run iOS 3.1.
There is a similar question about 3GS+. But 3G+? That might be tough. I don't see anything in the UIRequiredDeviceCapabilities that specifies the 3G radio. You could try using another key based on a hardware feature that the 3G has that the iPhone doesn't, but then you risk getting your build rejected by Apple.
Using run-time checks to detect hardware as Sam Ritchie also suggests is also a bad idea since (1) that will most certainly trigger a rejection, and if it doesn't (2) people with older devices will be able to purchase the app, only to find out it won't run, and they will complain, which will cause Apple to pull your app from sale anyway.
The only way to do it without resorting to things that Apple disallows is to target iOS 4.0 or higher. 4.0 does not run on the 1st generation. I realize you want to target iOS 3.1, but you either allow all devices, or target 4.0.
One nice way to do this would be to check out the UIDevice-Extension project on github. It gives you the ability to detect what hardware you're running on.
I suspect that the way to solve this would be to examine your app and figure out what exactly you don't want a user of an earlier phone to be able to access. Once you've narrows down the feature, you can easily check for the existence of that specific feature on the device. To do this, include the UIDeviceRequiredCapabilities key in Info.plist, and take a look at Apple's Build Time Configuration guide for a list of all possible values. You'll find it under the "Declaring the Required Device Capabilities" heading. Good luck!
Add some minimal Location based functionality to your app (so that Apple can't reject it), and then add the "gps" key to your app's UIRequiredDeviceCapabilities.
But consider that the percentage of 2G's users who actually still buy apps appears to currently be microscopic, and not worth bothering over. Just state the lack of support for these devices in your description.
This answer seems to answer your question:
https://stackoverflow.com/a/4128248/285694
The solution is to require "armv7" in the required device capabilities xml.

Resources