Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The dev center seems to be able to autogenerate code signing certificates at least. But maybe those can be revoked via online checks. I wouldn't mind having a wildcard enterprise cert with a 20 year expiration =)


Access to an API to get certificates from a different server one at a time is different thing from having the actual private signing key.


Certainly, but an unrestricted code signing certificate would be quite useful too (until they are revoked)


Mmmm... maybe. Okay, let's say you can sign code as anyone, even Apple itself, and create rogue apps.

Now, how do you use that information to compromise iOS devices? You probably won't be able to get it in the App Store, and the iOS devices won't install from anywhere else. You could make an Ad Hoc distribution package, but for that you need to know the UDID of each device and convince your victim to download the rogue app from somewhere other than the App Store.


You can install .ipa files easily via http and mobilesafari, and enterprise certs are valid for ALL UDIDs :)

So (again, assuming no revocation), you could set up a web based alternative app store, or re-sign cracked apps/games, or just enjoy being able to run code on your own devices (and distribute to others without going through the app store) without maintaining the $99/year subscription, or you could start linking/redirecting unsuspecting web browsing users to install malicious apps (would only need 1 confirm click)


If you have Apple's code signing keys, you can boot whatever software you want to on an iPhone. This has never been possible outside of Apple, except in the very rare cases of bootrom exploits (see limera1n).


Which wouldn't take very long. I'd be amazed if Apple wasn't using a hardware security module to store their intermediate signing keys and logging the keys generated from it.

I wonder where the CRL for the dev certificates is -- we might see an update to it soon.


Some info on enterprise adhoc ocsp services are here: http://stackoverflow.com/questions/9216485/how-to-manage-ent...




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: