Reliably enable debugging features for yourself. Hide them from your end users. Stop using #if DEBUG.
TLDR: Use a custom Profile that includes a certificate. Install that on devices you want to enable debugging on. By detecting if that profile has been installed on the user’s device, you can enable/disable debug features that are impossible for your users to find.
At my work we use TestFlight to distribute beta builds for internal and external testing. This a great, because once you certify a build as “ready for production”, you can just release it – it’s the exact binary that you’re going to ship.
But there’s a problem – we also want to give ourselves some extra debugging controls in our TestFlight builds for things like switching to a staging environment, toggling feature flags, and viewing extra error info.
These are features that we can’t ship to end users, but that we want available when we use the same version of the App they will get.
I first thought of a few not-so-good ways to do this:
Bad Way #1: Use a different build configuration
Use #if DEBUG
or #if TESTFLIGHT
compiler directives to compile out the debug features from your release build, then only test on a version that has them included.
The upside to this approach is that your debug features are literally compiled out of your release builds so that can’t possibly be enabled by end users. On the other hand, this can also be a problem.
Its easy to enable debug features for DEBUG
builds, but this doesn’t meet the original requirement of being available in TestFlight since the TestFlight builds are releasable binaries, and are compiled using the RELEASE
configuration.
You could even create a custom third configuration called TESTFLIGHT
which is identical to RELEASE
and then enable the features in that build, but then you would need to upload two builds to TestFlight, come up with a wacky versioning scheme to identify them, and keep clear which on is which when testing and releasing. Perhaps worst of all, we wouldn’t actually be testing the binary we were releasing and sometimes there really is a difference.
Bad Way #2: Hardcoded UserId’s
Hardcode a list of our team’s userIds, and only show these features to those users.
This is bad because you need to maintain this list of privileged users, and you can’t ever add users to an old commit. What if you hire new QA and ask them to test this version? They won’t be able to with their own credentials.
It’s also just inelegant. We can do better than this.
Bad Way #3: Detect the installation source programatically
Write your own method that figures out where the App was installed from.
There is no official platform API for differentiating whether the App was installed from Xcode on your dev machine, the App Store, or TestFlight.
This is perhaps because its not a straightforward question – what if you update from an App Store build to a dev build? That probably should count as a DEBUG build, since that’s where the App binary came from, but there will still be remnants of your App Store past on the device, such as the receipt that indicates your purchase history.
But this is not to say you can’t (even if you shouldn’t) make such an API yourself!
You could implement a isRunningInTestFlightEnvironment()
function, along these lines and then use that to show/hide your debugging UI.
But do not overestimate how reliable this kind of method is. It is a hack, implemented by looking for those App Store Receipts, and there’s nothing to say that Apple won’t change the name, location, or meaning of that hardcoded string in a future release, leaving your solution broken.
It is totally great for analysis and you might want to include this in logging, or event reporting, but don’t trust it blindly.
Bad Way #4: Use a secret gesture
Create an undocumented gesture recognizer, and hope its obscure enough that end users don’t stumble on it.
This is sort of like the Konami Code (⬆️⬆️⬇️⬇️◀️▶️◀️▶️🅱🅰). Who could possibly figure out something like that? … right? 😂
The problem is exactly that – someone will figure it out, and then all your debugging tools are out there with no way for you to disable them.
Bad Way #5: Use a secret URL scheme
Add a URL Type to your App target, and implement application(_ open url: options:)
in your AppDelegate
. Open your special URL in Safari to enable debugging.
In my opinion, this is also a pretty good option, and depending on the choice of URL is probably obscure enough that users won’t find it.
But if they do… (see above).
It’s also kind of annoying to have to exit the app and remember the special URL every time you want to change a debug setting, or enter your special menu or whatever.
This need to exit the App could also be detrimental – if you need to be able to open the debug panel without putting your App in the background, this option won’t work for you.
One advantage here is that it isn’t coupled to any single part of the App. The url opens equally well whether you’re on the login screen, or deep in the heart of your App.
The Good Way: Detect a Profile Installed on the Device
Create a special configuration profile using Keychain Access and Apple Configurator 2, and install this on your devices. Detect the presence of this profile to enable your debugging features on that device.
This solution has a number of advantages:
- Nobody can just guess your secret gesture or cheat code, they would need to be explicitly given the debug profile.
- You only have to install the profile once. You don’t have to do your secret enabling technique on every App run or installation.
- You could use one profile for many apps, or multiple profiles for different levels of privilege or feature sets.
- It applies equally well to
DEBUG
andRELEASE
builds, and allows you to access these features even in your published App Store builds. - It doesn’t require any special environment, or specific users
The disadvantages I see are:
- It requires the work of creating and storing this Debug Profile.
- Checking the trust result of the certificate is, admittedly, a bit of a hack.
- You need to save your Debug Profile somewhere and not lose it
So How Does This Work?
This solution is entirely based on the the SecTrustEvaluate()
function.
We use SecTrustEvaluate()
to determine if a user has installed and trusted a certificate (by installing our debug-enabling configuration profile), or just the plain untrusted certificate that was bundled with the Application.
So we’ll need to learn how to: create both of these certificates, create and install the configuration profile, and check the certificate for trust.
Let’s do this!
1. Create a Certificate Authority
- Open Keychain Access.
- Click Keychain Access > Certificate Assistant > Create a Certificate Authority.
- Give the certificate authority a Name.
- Recommended: extend validity.
- Select Let me override defaults.
- Unselect Make this CA the default.
- Change Validity Period to up to 7300 days (20 years).
- Choose a profile.
- You can just leave defaults for the rest of the options. Next, Next, Next…
- Click Show CA Certificate to verify this succeeded, then close the Certificate Assistant.
2. Create the Leaf Certificate to bundle with the App
- Click Keychain Access > Certificate Assistant > Create Certificate.
- Change Identity Type to Leaf.
- Change Certificate Type to Custom, and choose
~/Library/Application Support/Certificate Authority/<your CA name>/<your CA name>.certAuthorityConfig
. - Recommended: extend validity.
- Select Let me override defaults. Continue.
- Change Validity Period to up to 7300 (20 years).
- Select an Issuer:
<your CA name>
- Accept the defaults for the rest of the options. Next Next Next…
- Destroy the private keys for both the Certificate Authority and Leaf Certificate – you don’t need them anymore.
Ok now we’ve got the raw materials needed, and we just need to convert them to the formats needed for the App.
3. Export Leaf Certificate .cer
and Add to App Bundle
- In Keychain Access, find the Leaf Certificate “certificate”
- Right Click > Export
- Select File Format
.cer
- Export to a location in your project repo (you want this certificate tracked in source control)
- In Xcode, Add Files to <project>
- Select your App target in “Add to Targets:”
The certificate will now be included in your app bundle, but since the user hasn’t taken any action to trust that certificate, its SecTrustResultType
(in the code sample below) is kSecTrustResultFatalTrustFailure
.
This will be our indication that the user does not have the debugging profile installed on the device.
4. Export CA Certificate .cer
and Add to Debug Profile
- In Keychain Access, find the Certificate Authority “certificate”
- Right Click > Export
- Select File Format
.cer
- Export to a Location in your project repo
- Again, you want to track this file in source control so you never lose it, but you might want to keep it in a new directory from the leaf cert to avoid confusion.
- Do NOT add this file to your App target.
5. Install Custom Profile on Desired Phones
- Download Apple Configurator 2
- Click File > New Profile
- Provide a Name and fill in any relevant General details
- In the Certificates tab, click Configure
- Select the
<CA Certificate>.cer
file you exported in Step 4 - Save the profile, ie “MyDebugProfile”
6. Add Objective-C Class to check status of profile
Add the following function somewhere in your project. You might add it to an existing utility, or create something like a DebuggingDetector
.
// Based on https://stackoverflow.com/a/31570347/782278
- (BOOL)IsMobileConfigInstalled {
NSString* certPath = [[NSBundle mainBundle] pathForResource:@"YOUR_LEAF_CERTIFICATE_NAME_HERE" ofType:@"cer"];
if (certPath == nil) {
return NO;
}
NSData* certData = [NSData dataWithContentsOfFile:certPath];
if (certData == nil) {
return NO;
}
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) certData);
SecPolicyRef policy = SecPolicyCreateBasicX509();
SecTrustRef trust;
OSStatus err = SecTrustCreateWithCertificates((__bridge CFArrayRef) [NSArray arrayWithObject:(__bridge id)cert], policy, &trust);
print("Error Status?: \(err)")
SecTrustResultType trustResult = -1;
err = SecTrustEvaluate(trust, &trustResult);
CFRelease(trust);
CFRelease(policy);
CFRelease(cert);
print("Error Status?: \(err)")
if(trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed) {
return YES;
} else {
return NO;
}
}
7. Install the profile on the debugging devices
- In Configurator, select the Device
- Click Add, and choose the <MyDebugProfile>
- The device will advise you the profile has been downloaded, but you’re not done yet.
- At this point the trust result is still
kSecTrustResultRecoverableTrustFailure
- At this point the trust result is still
- Open iPhone Settings then go to General > Profile
- Choose <MyDebugProfile>
- Tap Install, enter passcode, confirm Install, Install, Done.
The trust result will now be kSecTrustResultProceed
. You have successfully enabled debugging on the device!
Even More Options…
There are surely many ways to skin a cat on this one. Here are some other ideas I’ve dreamt up but haven’t tried:
- Leave the debugging features plainly available and protect them behind a password or PIN code.
- Enable debugging by remotely sending messages to your App from another device such as Apple Watch or a computer.
- Write a separate App with the debugging features and link your Apps to each other (think of how Google Drive and Google Docs are able to coordinate between Apps, for example)
- Key debugging off of some other metadata you feel you can trust (only on your home wifi? Only on a given MAC address or SIM card? These are both probably bad ideas, but something along these lines…)
- Write a separate App that simply enters a value into your device’s Keychain. Then check for that value in your primary App. Distribute your enabler App through TestFlight.
Do you have better ideas for how to do this? Did I miss something obvious? What else have you tried? Leave a comment below!
This article contains solutions described in this StackOverflow post and this Dev forums post.
If your job includes code review, consider also reading: How to do High-Bar Code Review Without Being a Jerk
Alex
How would you revoke access? Lets say we want to get our employees access to beta features but revoke when they leave the company?
Nicolai
We have a part of settings that are protected by a PIN. Depending on the PIN, the user get access to more settings (3 levels). Lowest level is fixed PIN and all users get that from the manual.
The PINs for the other levels are time-based and calculated from a fixed seed and the year and month through hash functions.
This has the benefit that you can guide a user to another level by giving them the PIN but the PIN will only work the same month. No server access required.
Sumit
We used to use a “magic string” in the app and in a very hidden flow.
Here’s how it works:
Launch app > Sign in screen > Forgot password > Asks for email id > input the magic string > debug mode activated
Matthew
Hi Andrew,
For an alternative way of enabling debugging features, but with more runtime configurability you can use Appfigurate SDK. Easy to install, just link our small library into your iOS or watchOS app or app extension. Use the Appfigurate application for Simulator or Device to change your applications configuration at runtime. Instead of configuration profiles, we use public/private key pairs. The public key is distributed in your app, the private key is known only to you and your team members and installed securely into your Appfigurate app.
Appfigurate covers most of your wish list specified in your ‘Even More Options…’ section:
– Appfigurate supports encrypted string list items. You can encrypt sensitive information such as test urls into your app that only you can decrypt. For ease of development, use the included Appfigurate Xcode source editor extension to encrypt your plain text values.
– Send configuration payloads to remote users to change the configuration of an application.
– Change the configuration of a paired watchOS app or app extension.
– Use the default identifierForVendor or your own custom identifier string to lock target configuration payloads to a single device.
– Configuration payloads expire (by default) after 7 days.
– If you work in a large team with lots of devices, you can limit distribution of the private key by making it non exportable, in which case the developer/tester can’t export/share the private key out of the Appfigurate app, and it expires after 180 days.
Appfigurate SDK supports Objective-C and Swift apps, but a new version of the
library with full Swift 5.1+ support using property wrappers is coming soon.
If you flick me your email address I’ll send you an App Store redemption code.
Thanks,
Matthew (www.electricbolt.co.nz)
dive
Thanks for the article! Just want to mention why such solutions do no play well for big projects – you ship you debug code with releases (as you mentioned in the Bad Way #1). From my practice, it is just a matter of time when someone will make a mistake and call a debug helper from the unprotected part of the application or expose some restricted information within the binary. In general, I agree, pre-processor macros are ugly, old and do not play well with the modern development, but they do the job – your debug code will be stripped from releases.
Alexandre
Any user could still decompress the App Store IPA, find the certificate and make their own profile, or am I missing something?
Adam
Bad Way #2 could be improved by having the API call to login return a IsDebug property for the user.
This way access is controlled by the server and can be revoked in the future.