iOS Third party development - best practice (iOS)

[rh37hd]

Hello,

What is the best practice for getting an iOS app signed with the correct certificate before being uploaded to the app store? I am new to this space, and trying to determine a strategy as my organization often outsources the development of apps, but still wants to sign the app with our certificate.

Currently, I can think of two options:
1. Get the source code of the app and resign with our certificate in Xcode
2. Resign the application using an unsupported third party tool

I know that option 1 is best practice, but sometimes the developers will not give us the source code, and we cannot give them our certificate so using a third party tool seems to be the only option.

I have recently heard of some type of developer certificate that may be able to be delegated to the developer and would solve this dilemma. I am not familiar how this works, could someone explain this process or provide advice?

Appreciate the responses!

 

[BarracksSi]

You aren't talking about stealing an existing app and rebranding it as your own, are you?

 

[rh37hd]

You aren't talking about stealing an existing app and rebranding it as your own, are you?

Not at all. I'm talking about outsourcing the development of an application to a third party, and then getting it uploaded to the app store under my company's certificate. (My company does not have iOS developers - we pay others to write apps for us, and they have full knowledge and understanding of what we are trying to accomplish).

For example, the apps may pair with products that my company produces, hence the reason for wanting them to show up under my company's name, and not the company we outsourced the app development to.

 

[TheWatchfulOne]

...sometimes the developers will not give us the source code...

If it's code you paid them to develop, then I believe it's considered work-for-hire and they should be providing you access to it. Better yet, you should be owning/managing that code and providing the developers access to it.

The developer might have a component they've developed which they use in all their clients projects. The source code for that component might be a different story.

 

[PhoneyDeveloper]

1 is the simplest. Even if you're outsourcing development it's best if you get the source code at the end. However, I do know there are dev shops that have an existing app that they customize for each customer and don't provide the source code.

2 is easily done. You're not using unsupported third party tools. The code signing is done by Apple's tools using your credentials. In fact this is what Xcode does when you upload to the app store. It resigns the app. When I've done this repeatedly I wrote a shell script that does the various steps. You might ask your developers to provide you with this.

 

[firewood]

1. Negotiate whether you are getting source code ahead of contracting for an app. If you pay for code, you should get the code.

2. If getting source code is too expensive (or tied up with patents/trade-secrets/etc.), then put together a signed written contract that the developer can act as your legal agent on ITC for a certain day for limited purposes, give him/her your agent credentials, let them get certificates, sign and submit the app(s). Then you can revoke those certificates and change your agent passwords, right afterwards if needed.

3. If you don't get the source code, and don't trust giving out your agent password to that developer for one day even with a signed contract, do you trust what the developer put in the code inside your app? Do you really want to be legally liable for that code? (Check your developer agreement.)