Security of over-the-air distribution of enterprise iPhone apps - OTA iOS

Question

In over-the-air distribution of an enterprise iPhone app, the iPhone securely downloads an XML manifest file containing a fully-qualified URL pointing to the .ipa file (the app itself) then downloads the app from there and installs it.

I am wondering whether there is a security flaw here. Assuming the iPhones are outside the firewall on the public Internet, and in the absence of a VPN, wouldn't the .ipa file have to be publicly-readable over HTTP, i.e. anyone could grab it and install using iTunes if they knew the URL?

The Apple reference is http://help.apple.com/iosdeployment-apps/#app43ad871e (enterprise developers only I think).

Probably I'm missing something and it's safe?

Thanks

Bill.

Answer 1

In order to use OTA iPhone app, the person who is attempting to download the app must install the proper certificate.

Enterprise Apps are limited to 1000 OTA installs, which Apple can track on their end.

For non enterprise developer accounts, you have a 100 device limit, which first have to get the device UDID up to the provisioning portal, before they can install the proper certificate to run the app.

So while you can free distribute the ipa (over HTTP or FTP or whatevs) they'll still need the proper valid certificate, and that is controlled.

Of course there are probably ways around this, but in general that's how Apple protects OTA installs.

Answer 2

If you are distributing the .ipa file for your Enterprise profile, that app can be installed on any device. You would see a subtle warning at the bottom of the provisioning page that says something like,

This profile can be installed on any application.

I've tested it, and it does indeed work.

Answer 3

Yes the .ipa is on the open internet. You can password protect ( .htpasspw ) the page so anyone knowing the url needs to enter a user/password combo to enter the page and to download the ipa.