i need to be able to prove to an external device that it is talking to my app on the iphone. i can connect to the device on bluetooth but how can the device know that it is communicating with the right app? any app on the phone can establish a bluetooth connection or use an existing connection, so we want some way to authenticate that the app on the phone is from our company.
these questions come close but the answers do not solve this problem
- How can i prove some data came from my app
- How can i prove data file was not tampered
- How can i prove origin of an ios app
i considered using apple healthkit because ios can add a digital signature to the records that an app writes to healthkit. the app could accept a challenge from the external device, write a record to healthkit that includes the challenge and it gets digitally signed by ios, then read back that signed record and send to the external device.
the record contains the app bundle id and is signed by the operating system, so the external device can check that the record contains the challenge and the bundle id is from our company and verify digital signature. another app on the device could not forge this record containing the challenge, bundle id and digital signature.
there are problems with this approach such as apple may reject as misuse of healthkit and it would require permission from user to allow read and write to healthkit.
