Please add an upload-only role to iTunes Connect
| Originator: | irons | ||
| Number: | rdar://19466589 | Date Originated: | 13-Jan-2015 06:54 PM |
| Status: | Open | Resolved: | |
| Product: | iTunes Connect | Product Version: | 2015-01-13 |
| Classification: | Enhancement | Reproducible: | Always |
Summary: An iTunes Connect account with the privileges needed to upload an iOS or Mac binary also has the privileges to modify app metadata, publish app updates, and delete apps. This makes it unnecessarily dangerous to store the Apple ID credentials used to automate build uploads. In the era of iTunes Connect Testflight, this is now a problem. Steps to Reproduce: 1. Set up build infrastructure to uploads binaries from a continuous integration server, using iTunes Connect Transporter. 2. Realize that you have to entrust the build server with plaintext credentials capable of inflicting vast damage on your account. 3. Reconsider the wisdom of build automation. Expected Results: A miscreant who compromises the build server should not be able to obtain credentials used to compromise an iTunes Connect account. (If they want to use those credentials to upload fake builds and waste integer build numbers, I will survive.) Actual Results: The miscreant who compromises the build server has at least Technical privileges in iTunes Connect, which from a product standpoint might as well be god.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!