I have a freelancer creating an iOS app for my website.
He's asked for my apple developer account username, password and UDID.
Is this legit? It sound like EXACTLY the sort of thing you're not supposed to do. However, though I'm competent in a website/db environment, apps and mobile dev is a sealed book to me (hence needing a freelancer).
Should I provide this information?
Best Answer
As an app developer with my own apps and client work on the store, I understand your concern, but there's nothing shady about this request.
Your app is being made from a mixture of code files, images, and maybe some mp3s, etc. Once it's ready, your developer needs to package it up and upload it to iTunes Connect so Apple can review it for the store.
The way this works is that he or she (well, someone with the source code) needs to enter your credentials into a tool called Xcode in order to be able to upload the finished product, often called the "binary." (Xcode is the development environment that iOS developers use. Uploading apps to Apple is a small feature, but that's generally how it's done.)
It's actually a little more interesting. The reason we usually don't like giving out our passwords is because we don't want other people to impersonate us. In this case, that's exactly what you want.
To understand this a little more deeply, let's talk about code signing for a minute.
There are two elements here. One is the signing certificate, which is for your security, and one is the "provisioning profile" which allows Apple to control apps from being widely distributed outside the App Store.
When you or your developer creates your finished app, Xcode compiles the code, links it, and the copies the product and other resources into the final app bundle.
Then, the bundle is "signed" with what's called a "signing certificate" which is created through the Apple Developer Portal. This reassures Apple that the app submission is coming from you and not someone else.
A provisioning profile says what devices may install a given app. There are profiles for the App Store and profiles for development and profiles for enterprises to distribute to their employees.
The development profiles limit installation to a specific number of devices, and it does that by containing a list of valid UDIDs - or device identifiers.
So Xcode has to get into your account, download your signing certificate and provisioning profile(s), and then upload the app. This is why your developer has to "be" you.
The truth is that for testing, your developer should be uploading to Apple and then using TestFlight to distribute the test version of the app but regardless, it's completely reasonable for a developer to have to access your iTunes Connect and/or Member Center account.
You can do this a few ways:
You can give your developer your credentials, or
Invite them to be part of your team in iTunes Connect. That way, they can log in and do what they need to without having your password.
If your arrangement and your comfort level allow, the developer can send you the code and you can submit yourself.
You can remove them from your team or change your password when you are finished.
If you're really uncomfortable, offer to screen share with your developer and enter the passwords for them. It's not really the best option but could be a good compromise.
Best of luck with your new app!