Unlike Android, you cannot install any application on an iOS device, as only Apple allows the application to run. When developers submit an application to the App Store, Apple manually installs the application on test devices and verifies that the application works as described, does not crash during normal use, and complies with their App Store Review Guidelines. Once the application passes the review process, Apple re-signs it with its security certificate. And only after that, the application is ready for publication in the App Store.

Apple allows developers to run their applications on an iOS device on behalf of Apple using a provisioning profile. However, this is not the same "sideloading" that can be done on Android, and provisioning profiles impose restrictions on an application.

Provisioning profiles

The provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized development team and enables a device to be used for testing. In other words, the provisioning profile acts as a link between the device and the developer account. During development, the developer chooses on which devices the application can run and which application services it can access. This allows for sufficient flexibility for debugging and testing on the device, including distributing the application to beta testers.

The provisioning profile is downloaded from a developer account as a .mobileprovision file and embedded in the application bundle. In turn, the entire bundle is signed.

.mobileprovision file

The .mobileprovision file has the following structure:

  • File header - is a binary data (looks like it does not contain any useful data).

  • plist - is a plist file with all project-related information.

  • File footer - is a binary data (looks like that is the file signature).

Example of ad hoc profile plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <string>iOS My App</string>
  <string>MyApp Ad Hoc</string>

The provisioning profile consists of several items, the most important of which are described below.


App ID

An App ID is a two-part string ( alpha-numeric characters and App Bundle ID) used to identify one or more apps from a single development team (this can include a * wild card to be used for many applications with similar bundle identifiers).

Development Certificates

Development Certificate is a unique security certificate issued by Apple that uniquely identifies you as the developer or publisher of the application. The private key of the distribution certificate is used to sign the application. There are two types of signing certificates:

Development certificate is used for individual developers who are actively debugging and developing an application.

Production certificate is used either a production setting (final build for the App Store) or a QA build that is distributed through Apple's TestFlight Beta or another app test distribution system. These certificates identify you as an App Store Publisher to Apple or as a Test Distributor and can only be used with production provisioning profiles.

Unique Device Identifiers

List of device IDs on which the application can run on.


Entitlements are special permissions or capabilities required by an application to interact with other Apple services external to the application. Because iOS apps are isolated from each other, they cannot directly interact with other operating system services without entitlements. The types of entitlements include the following:

> Push Notifications

> Cloud Kit

> Keychain Sharing

> Keychain Sharing

> etc.

The development and app store profiles contain almost the same data with small differences:

  • The development profile is almost identical to the ad hoc profile except of Entitlements.get-task-allow set to true.

  • The app store profile does not contain the ProvisionedDevices key.

Types of provisioning profiles

There are 4 different types of provisioning profiles:

  • Development

  • Ad Hoc

  • App Store

  • Enterprise

Development provisioning profile

The development provisioning profiles are used only when developing an application. The development provisioning profile must be installed on each device on which developers want to run the application. If the information in the provisioning profile does not match certain criteria, the application will not start.

Devices specified within the development provisioning profile can be used for testing only by those individuals whose development certificates are included in the profile. A single device can contain multiple provisioning profiles.

Ad Hoc provisioning profile

The ad hoc provisioning profile is similar to the development provisioning profile, but it allows development teams to distribute applications to a specific target set of iOS devices outside of the App Store. Ad hoc provisioning profiles are used to distribute applications to testers who are not included in the iOS Developer Program for an organization.

An app deployed with an ad hoc provisioning profile will be almost identical to the production version is submitting to the App Store (ie. it will need a distribution certificate for push notifications to work and etc.)

App Store provisioning profile

The app store provisioning profile is used to submit app to the App Store for distribution. The difference between development and app store profiles is that app store profiles do not specify any device IDs.

Enterprise provisioning profile

The Apple Developer Enterprise Program allows companies to create and distribute in-house applications to their employee's iOS devices through the use of the enterprise provisioning profile.

Enterprise provisioning profiles do not need a list of device IDs giving companies the flexibility to install their in-house proprietary apps to an unlimited number of devices that are registered with their enterprise.

Deployment process

When you deploy the application on a device the following things happens:

  • The provisioning profile in the Mac goes to the developer certificate in your keychain.

  • Xcode uses the certificate to sign the code.

  • Device's UUID is matched with the IDs in the provisioning profile.

  • App ID in the provisioning profile is matched with the bundle identifier in the application.

  • The entitlements required are associated with the App ID.

  • The private key used to sign the application matches the public key in the certificate.

If all the above steps are successful the signed binary is sent to the device and is validated against the same provisioning profile in the application and finally launched. If anyone of these conditions fail, then the application will not install — and you will see a greyed-out app icon.


Last updated