Access to (Development or Distribution) Certificate from iOS App

Question

Is it possible to access the certificate by which the app is signed through some non – private API in order to encrypt data for exchanging with a server?

In fact I have (for instance) a web service and I want only my own iOS app access it. I came up with the idea of using the certificate by which the code is signed to encrypt something (say a constant data) with the certificate private key on client app and decrypt it on server with the certificate public key (to extract that said constant data) to check app identity.

As each iOS app is signed with unique certificate therefore each app can be identified this way.

Is this method correct and possible?

Is there any API to access app certificate and doing such calculation?

Thanks for your help,

Answer 1

The general process you are describing (using the private key on the client side to authenticate on the server with the public key) is correct. Note that it is not an encryption process but a digital signature. However accessing the app signature certificate is not sufficient since the signature private key is not embedded into the app. Moreover this certificate aim is code signing and it is not a good practice to use it for other purpose like client-server communication security.

A solution could be including a dedicated certificate/private key with your app resources and using this certificate to open a HTTPS connection with a client authentication. The drawback is that an attacker on a jailbreak device could be able to reverse-engineer your app and extract the confidential keys in order to authenticate against server outside the authorized app.

There is plenty of discussions on stackoverflow about storage/distribution of confidential data in an iOS app with there pros & cons (for instance here or here).