So, I have private Apple Developer Account and there's one guy that told me that he wants to "rent" my p12 certificate and mobileprivision file to distribute his app. (which is I also confused why he's not just buy the developer account by himself instead of renting from someone)

I have read this and this I still unsure about what kind of danger to share those file and what risk can come from this action, what's inside the p12 certificate and mobileprovision file? Can someone explain? Thank you!

CodePudding user response：

The biggest "risk" is "one guy" can upload apps to the App Store as you. It is very likely that "one guy" can't get their own ADC account because they already had one and burned it on violating Apple's developer agreement. For example they may have uploaded a trivial app that unbeknownst to the phone's owner burns the phone's battery mining bitcoin to send back to "one guy". Now they can't get another ADC account without either finding a willing dup (in this case "some guy" hopes is you, but you have been critical enough of his false claims to figure out what is going on...congratulations!).

Alternately "one guy" may be absolutely innocent of vile intent, and just doesn't know how easy it is to get their own developer account. It is too hard to tell if that is the case though, which means you still shouldn't share theirs. After all the potential cost to you of sharing the cert is high, and the benefit is low. Also if they resist getting one of their own when you explain how easy it is the chances go up that they have ill intent.

(also if by "private Apple Developer Account" you mean the personal accounts that don't let you upload to the App Store, someone can upload IPA files, your provision file, and "side loading instructions" to get apps that would never pass App Store review onto other people's phones until Apple notices it and shuts down your account. Not exactly the same "attack", but definitely something of negative value to you!)

Good luck!