6

I have an enterprise distribution certificate that I use to deploy internal applications. Certain of my applications have very sensitive material and to protect the application from being installed by just about anyone in the company, I use a password-protected directory on a web server to host the .IPA file, while the .plist file is on an open web server. Here's the problem I have:

On iOS6, I click the link to install (starts with itms-services://), iOS prompts me to enter my credentials then proceeds to install the application.

On iOS7, the same link works just fine, but for some reason, it asks for my credentials TWICE. Once my credentials have been entered twice, the application installs just fine.

Anyone has any idea why this is happening? What's different in this process?

Simon Germain
  • 6,834
  • 1
  • 27
  • 42
  • I have experienced a similar issue with installing from the App Store on iOS 7. Occasionally, tapping "install" will cause the app to begin downloading, and when that download is complete it prompts me for credentials a second time. The app then re-downloads and installs fine. It is possible that your site is set up fine, and the bug exists on the iOS side of things. – Nick Jan 06 '14 at 19:00
  • Yeah, I had no issues whatsoever with iOS 6. – Simon Germain Jan 06 '14 at 19:01
  • To all who are voting to close my question because it's off-topic, where should I be posting this question, if not here? Thanks. – Simon Germain Jan 06 '14 at 19:05

2 Answers2

5

I checked an access log of web server. The itunesstored application asked TWICE. (HEAD and GET)

10.0.2.2 - - [06/Feb/2014:14:50:48 +0900] "HEAD /test/app/app.ipa HTTP/1.1" 401 - "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - test [06/Feb/2014:14:51:03 +0900] "HEAD /test/app/app.ipa HTTP/1.1" 200 - "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - - [06/Feb/2014:14:51:04 +0900] "GET /test/app/app.ipa HTTP/1.1" 401 539 "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - test [06/Feb/2014:14:51:09 +0900] "GET /test/app/app.ipa HTTP/1.1" 200 4066787 "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"

So, I changed a setting of web server to ignore basic auth when it requets HEAD.

BEFORE:

<Directory "/Library/WebServer/Documents/test/app/">
    AuthType Basic
    AuthName "BASIC AUTH"
    AuthUserFile "/etc/apache2/htpasswd"
    Require valid-user
</Directory>

AFTER:

SetEnvIf Request_Method HEAD headreq
<Directory "/Library/WebServer/Documents/test/app/">
    Order Allow,Deny
    Allow from env=headreq
    AuthType Basic
    AuthName "BASIC AUTH"
    AuthUserFile "/etc/apache2/htpasswd"
    Require valid-user
    Satisfy Any
</Directory>

After that, The itunesstored application asked only ONCE. (only GET).

Kazutaka Kamiya
  • 371
  • 2
  • 4
1

Not really an answer to your question, but your approach doesn't guarantee that unauthorized people couldn't install your app. If someone with the password to the directory holding the IPA file shares that file with others - you have no protection.

I had a similar situation and I put password protection directly in the app. Using the unique key generated by the app, the user would request a password which would be generated from this unique key (and hence would be unique to that user) to gain access to the app.

Larry
  • 396
  • 4
  • 7
  • I'm not super concerned about that. The people installing that application aren't that technically savvy. It's not a bad idea, but not what I'm looking for. Thanks though! – Simon Germain Jan 15 '14 at 19:39