Code signing to check for IOS ipa integrity .

Code Signing General
kakarot173
kakarot173 OP
Created Mar ’22
Replies 5
Boosts 0
Views 5.2k
Participants 2

Is there a way to check your app signature to verify if any one has tampered with the ipa file. I want to know specifically how to determine and handle this type of situation. How can i do a check for this in code(swift).

Answered by kakarot173 in 708946022

in

Replies  5
Boosts  0
Views  5.2k
Participants  2
kakarot173
kakarot173 OP
Mar ’22

Guys need your inputs on this please. Thanks

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Mar ’22

Guys need your inputs on this please.

Dude, patience.

Oh, and as a reminder, DevForums is an informal support channel. If you want formal support, open a DTS tech support incident. And if you follow that link you’ll find that DTS aims to respond to queries “within three business days”.

An .ipa file is just a zip archive it disguise. It doesn’t have its own signature, and thus there’s nothing to check.

If you want to check the signature of the app within the .ipa file, the answer to that depends on the context. Is your goal to do this on iOS itself?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Mar ’22

Basically i want to have a check on our side to know if my app has been tampered with or not.

The supported way to do that is with App Attest.

The path you’re going down is not supported by DTS. There are two reasons for this:

  • Anti-tamper protection is a form of DRM, and DTS does not support DRM [1] development in general. Any DRM system involves a trade-off between effectiveness and compatibility: The more effective your system is, the less likely it is to be compatible in the long term. DTS falls on the compatibility side of this divide, and so we don’t support DRM.

  • In this specific situation, Apple regularly transforms your app during the distribution process. For example:

    • Re-signing the app
    • Adding the App Store’s own DRM
    • App thinning
    • Applying bitcode

    Some of these you can avoid but not all of them, and Apple reserves the right to add more as time goes by. There’s no supported way to distinguish Apple’s valid tranformations from tampering.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, non-Apple DRM. We do support various aspects of FairPlay.

2
kakarot173
kakarot173 OP
Mar ’22
Accepted Answer

in

1
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Mar ’22

But is there a way to get Get Certificate SHA1 Fingerprint in iOS.

You’ll need to be more specific as to what you’re looking for here. There are at least two two different ways that we calculate certificate SHA-1 fingerprints, and that’s just in the Apple ecosystem (-:

Also, please put those details in a new thread, as it’s kinda off-topic for this one. Tag it with Security so that I see it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Code signing to check for IOS ipa integrity .
First post date Last post date
 
 
Q