4

In over-the-air distribution of an enterprise iPhone app, the iPhone securely downloads an XML manifest file containing a fully-qualified URL pointing to the .ipa file (the app itself) then downloads the app from there and installs it.

I am wondering whether there is a security flaw here. Assuming the iPhones are outside the firewall on the public Internet, and in the absence of a VPN, wouldn't the .ipa file have to be publicly-readable over HTTP, i.e. anyone could grab it and install using iTunes if they knew the URL?

The Apple reference is http://help.apple.com/iosdeployment-apps/#app43ad871e (enterprise developers only I think).

Probably I'm missing something and it's safe?

Thanks

Bill.

BillF
  • 444
  • 1
  • 9
  • 15

3 Answers3

4

In order to use OTA iPhone app, the person who is attempting to download the app must install the proper certificate.

Enterprise Apps are limited to 1000 OTA installs, which Apple can track on their end.

For non enterprise developer accounts, you have a 100 device limit, which first have to get the device UDID up to the provisioning portal, before they can install the proper certificate to run the app.

So while you can free distribute the ipa (over HTTP or FTP or whatevs) they'll still need the proper valid certificate, and that is controlled.

Of course there are probably ways around this, but in general that's how Apple protects OTA installs.

Alan
  • 45,915
  • 17
  • 113
  • 134
  • Thanks, I think I get it now. Before you can build your app and distribute it you have to create an Enterprise Distribution Provisioning Profile, download it, and drag it into xCode. When you create that profile, you are not obliged to list the permitted device IDs -- however you may do so (I think). Sounds like when you add new device IDs you will have to publish an update. – BillF Feb 02 '12 at 23:38
  • From this it seems that you can protect the app by listing allowed device IDs, and if you don't specify device IDs then you are unprotected. – BillF Feb 03 '12 at 00:16
  • Is there a way to install the certificate OTA as well? – xdumaine Aug 23 '12 at 17:16
  • `the person who is attempting to download the app much install the proper certificate` - how can that person do it? What would be the proper certificate? – p4sh4 Aug 06 '15 at 02:53
  • Our company put the cert on an internal webserver, and sent out an email. I am sure there are other methods. – Alan Aug 06 '15 at 19:39
1

Yes the .ipa is on the open internet. You can password protect ( .htpasspw ) the page so anyone knowing the url needs to enter a user/password combo to enter the page and to download the ipa.

Joeri Kassenaar
  • 31
  • 1
1

If you are distributing the .ipa file for your Enterprise profile, that app can be installed on any device. You would see a subtle warning at the bottom of the provisioning page that says something like,

This profile can be installed on any application.

I've tested it, and it does indeed work.

Anurag
  • 140,337
  • 36
  • 221
  • 257