109

When I set up my entitlements in my iPhone app project, I create a new Entitlements.plist, and set the value of get-task-allow to false. But why? What does this key represent?

Note this is related to Application could not be verified error when building app for iPhone device - I found that flipping the value of this key to true allowed me to install the app on my device)

grg
  • 5,023
  • 3
  • 34
  • 50
Codebeef
  • 43,508
  • 23
  • 86
  • 119

4 Answers4

180

From this thread on ADC:

get-task-allow, when signed into an application, allows other processes (like the debugger) to attach to your app. Distribution profiles require that this value be turned off, while development profiles require this value to be turned on (otherwise Xcode would never be able to launch and attach to your app).

Codebeef
  • 43,508
  • 23
  • 86
  • 119
  • 2
    So are are projects required to have two Entitlements.plist files, one where this value is set to YES that targets Debug profiles, and another that specifies NO, targeting Distribution profiles? – Greg Maletic Feb 09 '11 at 01:27
  • 2
    Nevermind, solved my own question. If you leave out Entitlements.plist out of your Debug build settings, you have no problem. – Greg Maletic Feb 09 '11 at 01:51
  • nit picking, but developer profiles do not *require* this value to be turned on. they'll still run. you just can't attach the debugger. – jamie Jul 27 '11 at 00:23
  • 1
    But, I could debug even after Entitlements.plist was not included to the project in Debug mode with Developer profile. Could someone explain me this? – spd Apr 20 '12 at 10:52
  • 1
    default for debug is true, default for release is false. Turning it to false will disable debug. – The Lazy Coder Apr 24 '12 at 01:28
  • 1
    But distribution configs are usually derived from 'release'. Shouldn't that mean that you don't need to specify FALSE for AdHoc? (or for that matters, have an Entitlements file at all?) – Nicolas Miari Jun 16 '12 at 17:08
  • This answer make sense but my question is how get-task-allow found its way into my distribution profile. Organizer dont give me way to edit it. – Alok C May 25 '16 at 23:53
  • I think this was the link you originally meant: https://developer.apple.com/forums/thread/119059 – mfaani Jun 23 '20 at 20:12
19

While your answer is correct, I just want to be more specific on this just so people who want to know what does exactly get_task_allow mean, can.

get_task_allow is an entitlement that allows other apps to get the task port of your app. This means that if any other app runs task_for_pid() with your app process ID they'll get the task port of your app so they can do things like for example writing and reading things on the memory, therefore being able to patch things and modify the behavior of your app.

If you take a look at how a jailbreak works, you'll notice one of the first things they do is get task_for_pid(mach_task_self(),0,&kernel_task); being that kernel_task is a mach_port_t with value 0, so they are able to touch the kernel's memory.

As kernel entitlements do not have get_task_allow entitlement, and Apple has even removed the possibility of doing tfp0(task_for_pid 0), they need a patch.

So basically as Xcode needs to touch your app's memory and work with it to debug it, you'll need to enable this for debugging, but you'll need to disable this to distribute your app or else any app would be able to get your task port.

amodrono
  • 1,900
  • 4
  • 24
  • 45
  • 1
    And to add on a official link: https://developer.apple.com/library/archive/technotes/tn2415/_index.html#:~:text=and%20UIPasteboard%20sharing.-,get%2Dtask%2Dallow,-The%20boolean%20value says "The boolean value of `get-task-allow` determines whether Xcode's debugger can attach to the app." – CyberMew Jan 08 '22 at 06:39
14

The ability to debug your application on the iPhone.

cdespinosa
  • 20,661
  • 6
  • 33
  • 39
  • 1
    Interesting! If that's all it does, then I wonder why flipping the value to false prevents me from installing the app on my device? (Related SO question: http://stackoverflow.com/questions/997884/application-could-not-be-verified-error-when-building-app-for-iphone-device) – Codebeef Jun 17 '09 at 17:58
  • That's what it does...but what does it ACTUALLY do that allows you to do that? – Ryan Detzel Jun 17 '09 at 20:52
  • 1
    This answer could be greatly improved if it included more information like Codebeef's. – Jadar Dec 22 '16 at 18:21
  • @Codebeef I believe this is a restriction that Xcode imposes rather than an inherent one. – saagarjha Mar 25 '18 at 02:58
-8

For xcode 4:you have to create Entitlements.plist file from new file. and Targets->build Settings->Code Signing Entitlements you have to write here "Entitlements.plist"

I did this and xcode don not get anymore error

Yiğit
  • 166
  • 2
  • 9