iOS 7 enterprise distribution on secured server

Question

I have an enterprise distribution certificate that I use to deploy internal applications. Certain of my applications have very sensitive material and to protect the application from being installed by just about anyone in the company, I use a password-protected directory on a web server to host the .IPA file, while the .plist file is on an open web server. Here's the problem I have:

On iOS6, I click the link to install (starts with itms-services://), iOS prompts me to enter my credentials then proceeds to install the application.

On iOS7, the same link works just fine, but for some reason, it asks for my credentials TWICE. Once my credentials have been entered twice, the application installs just fine.

Anyone has any idea why this is happening? What's different in this process?

Answer 1

I checked an access log of web server. The itunesstored application asked TWICE. (HEAD and GET)

10.0.2.2 - - [06/Feb/2014:14:50:48 +0900] "HEAD /test/app/app.ipa HTTP/1.1" 401 - "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - test [06/Feb/2014:14:51:03 +0900] "HEAD /test/app/app.ipa HTTP/1.1" 200 - "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - - [06/Feb/2014:14:51:04 +0900] "GET /test/app/app.ipa HTTP/1.1" 401 539 "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - test [06/Feb/2014:14:51:09 +0900] "GET /test/app/app.ipa HTTP/1.1" 200 4066787 "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"

So, I changed a setting of web server to ignore basic auth when it requets HEAD.

BEFORE:

<Directory "/Library/WebServer/Documents/test/app/">
    AuthType Basic
    AuthName "BASIC AUTH"
    AuthUserFile "/etc/apache2/htpasswd"
    Require valid-user
</Directory>

AFTER:

SetEnvIf Request_Method HEAD headreq
<Directory "/Library/WebServer/Documents/test/app/">
    Order Allow,Deny
    Allow from env=headreq
    AuthType Basic
    AuthName "BASIC AUTH"
    AuthUserFile "/etc/apache2/htpasswd"
    Require valid-user
    Satisfy Any
</Directory>

After that, The itunesstored application asked only ONCE. (only GET).

Answer 2

Not really an answer to your question, but your approach doesn't guarantee that unauthorized people couldn't install your app. If someone with the password to the directory holding the IPA file shares that file with others - you have no protection.

I had a similar situation and I put password protection directly in the app. Using the unique key generated by the app, the user would request a password which would be generated from this unique key (and hence would be unique to that user) to gain access to the app.