We would like to officially announce the alternative method of distribution for obtaining our iPhone App for Defcon.  Please make sure to read this entire page before sending us your information.  Special thanks to Alexander Lash for working on this approach to distribution with us.

With Ad hoc distribution, it would work like this:

1. 1.You send us an email with the following information: the type of device you have and the UDID of the device.
   

2. 2.We would provision your device and send you a custom build.
   

3. 3.You would then install the provisioning profile and the build into iTunes.
   

4. 4.Run a sync and the app will install.
   

There are however issues with this approach and we want to practice full disclosure regarding the risks.  Given the normal way most developers actually manage provisioning profiles, the average profile is setup for a given set of devices.  This makes it easy for a developer to build and provision one app for multiple users.  The actual file for provisioning will contain multiple plaintext entries for UDIDs, one for each device.  We don’t plan to follow this normal path, but let us explain why this is a risk first.

Other Apps on the iPhone (and Touch) make use of the UDID in some form.  For example, some Apps tie the UDID to account information.  Then they tie the same account info to other services like twitter or facebook.  Now by just sniffing for the UDID, the attack can follow a path that will tell them a great deal about their target.  This blog post explains one real world example. 

So in the case of the developer above, a potential attacker with a provisioning profile with multiple UDIDs will already have a group of targets to look for.  Given the typical group of con attendees, this situation is not optimal for distribution.  So we’re going to take a much stricter approach to provisioning: Only one UDID will be placed in a given provisioning profile.   The level of exposure to the end user is about the same they would get from Apple.

Now given that explanation above, if you’re still interested in receiving a copy of the app for use during the con please send us an email at defconapp [at] group6 [dot] net with the following information:

1. •The type of device you have and the UDID of the device. 
   

We will try to get as many interested individuals provisioned but can not make any guarantees.

We will accept email for provisioning until Wednesday, July 29th at 9am PDT.  After that, we won’t be able to accept any more requests.  On Wednesday, we will start emailing out zip archives of the app and the provisioning profile for that user.

If the App makes it through the approval process and is available in time for the con, we will just stop this process all together.

One final note, once we’re done provisioning all users we will be deleting their personal information so that they can not be used again.

© 2001-2009 Group 6. contact: info [at] group6 [dot] net