AWS Security ChangesHomeSearch

AWS devicefarm medium security documentation change

Service: devicefarm · 2025-11-19 · Security-related medium

File: devicefarm/latest/developerguide/skip-app-re-signing-on-private-devices.md

Summary

Clarified that iOS app re-signing removes *all* entitlements (previously listed specific ones), updated terminology from 'dummy app' to 'placeholder app', and added iOS 18-specific instructions requiring AWS support intervention for app trust.

Security assessment

The change explicitly states that iOS re-signing removes all entitlements, which impacts security-relevant features like Push Notifications and VPN. The iOS 18 requirement for AWS support to manually trust apps introduces a new security procedure to comply with Apple's stricter trust policies, addressing potential unauthorized app execution risks.

Diff

diff --git a/devicefarm/latest/developerguide/skip-app-re-signing-on-private-devices.md b/devicefarm/latest/developerguide/skip-app-re-signing-on-private-devices.md
index ded27dfb4..a9858adee 100644
--- a//devicefarm/latest/developerguide/skip-app-re-signing-on-private-devices.md
+++ b//devicefarm/latest/developerguide/skip-app-re-signing-on-private-devices.md
@@ -13 +13 @@ Once you upload your app to AWS Device Farm, the service will generate a new sig
-On iOS, we replace the embedded provisioning profile with a wildcard profile and resign the app. If you provide it, we will add auxiliary data to the application package before installation so the data will be present in your app’s sandbox. Resigning the iOS app results in the removal of certain entitlements. This includes App Group, Associated Domains, Game Center, HealthKit, HomeKit, Wireless Accessory Configuration, In-App Purchase, Inter-App Audio, Apple Pay, Push Notifications, and VPN Configuration & Control.
+On iOS, we replace the embedded provisioning profile with a wildcard profile and re-sign the app. If you provide it, we will add auxiliary data to the application package before installation so the data will be present in your app’s sandbox. Re-signing the iOS app results in the removal of all entitlements.
@@ -15 +15 @@ On iOS, we replace the embedded provisioning profile with a wildcard profile and
-On Android, we resign the app. This may break functionality that depends on the app signature, such as the Google Maps Android API. It may also trigger anti-piracy and anti-tamper detection available from products such as DexGuard. For built-in tests, we may modify the manifest to include permissions required to capture and save screenshots.
+On Android, we re-sign the app. This may break functionality that depends on the app signature, such as the Google Maps Android API. It may also trigger anti-piracy and anti-tamper detection available from products such as DexGuard. For built-in tests, we may modify the manifest to include permissions required to capture and save screenshots.
@@ -71 +71 @@ If you're using an in-house (Enterprise) developer provisioning profile, you mus
-To do so, you can either install the app that you want to test on the private device, or you can install a dummy app that's signed with the same certificate as the app that you want to test. There is an advantage to installing a dummy app that's signed with the same certificate. After you trust the configuration profile or enterprise app developer, all apps from that developer are trusted on the private device until you delete them. Therefore, when you upload a new version of the app that you want to test, you won't have to trust the app developer again. This is particularly useful if you run test automations and you don't want to create a remote access session each time you test your app.
+To do so, you must install a placeholder app that's signed with the same certificate as the app that you want to test. After the device trusts the configuration profile or enterprise app developer, all apps from that developer are trusted on the private device until you delete them. Therefore, when you install new versions of the app that you want to test, you won't have to trust the app developer again each time. This is particularly useful if you run test automations and you don't want to create a remote access session each time you test your app.
@@ -73 +73 @@ To do so, you can either install the app that you want to test on the private de
-Before you start your remote access session, follow the steps in [Creating an instance profile in AWS Device Farm](./set-up-private-devices-account-settings.html) to create or modify an instance profile in Device Farm. In the instance profile, add the bundle ID of the test app or dummy app to the **Exclude packages from cleanup** setting. Then, attach the instance profile to the private device instance to ensure that Device Farm doesn't remove this app from the device before it starts a new test run. This ensures that your developer certificate remains trusted.
+A common procedure many customers use is to re-sign the [Device Farm sample app for iOS](https://github.com/aws-samples/aws-device-farm-sample-app-for-ios/blob/master/prebuilt/prebuiltSampleApp.ipa), then install this onto their device as the placeholder app.
@@ -75 +75,3 @@ Before you start your remote access session, follow the steps in [Creating an in
-You can upload the dummy app to the device by using a remote access session, which allows you to launch the app and trust the developer.
+Before you start your remote access session, follow the steps in [Creating an instance profile in AWS Device Farm](./set-up-private-devices-account-settings.html) to create or modify an instance profile in Device Farm. In the instance profile, add the bundle ID of the placeholder app to the **Exclude packages from cleanup** setting. Then, attach the instance profile to the private device instance to ensure that Device Farm doesn't remove this app from the device before it starts a new test run. This ensures that your developer certificate remains trusted.
+
+You can upload the placeholder app to the device by using a remote access session, which allows you to launch the app and trust the developer.
@@ -85 +87 @@ To filter the list of devices to include only private devices, select **Private
-Be sure to also add the dummy app or the app that you want to test to the **Exclude packages from cleanup** setting for the instance profile that's attached to this instance.
+Be sure to also add the placeholder app or the app that you want to test to the **Exclude packages from cleanup** setting for the instance profile that's attached to this instance.
@@ -91 +93,3 @@ Be sure to also add the dummy app or the app that you want to test to the **Excl
-  4. Follow the instructions to trust the developer certificate.
+  4. Confirm that an iOS dialogue box appears indicating that the enterprise app developer is untrusted.
+
+  5. Then, if the iOS device is on iOS version 18 or greater, open a support ticket with the AWS Device Farm team to have our team trust the app for you, since these devices require the app to be manually trusted. Otherwise, if the iOS version is 17 or lower, you can go into the **Settings** app, and, under **General** settings, trust the app yourself from the **VPN and Profiles** menu.