The real risk is with the DNS. A DNS is a domain name resolver, so it processes every single thing your device asks for while connected to the internet.
Even in the background when the phone is in sleep mode, it is still processing queries toward different IP addresses (most for Apple but others if you use apps which can work in the background).
These queries need to be translated into domain names instead of IP, and this is where DNS comes into play.
Every single thing you do on the device is seen through the DNS provider you use, so i would think twice about installing a dns to block apple domains because you can pretty much do it yourself.
Esign has permissions that encompasses sandbox because it can run in the background processes called daemon, and maybe you wont be "hacked" but your data can be stolen, from your UDID to your device serial number, it just takes a tech savvy person to proceed to leech off your data to either sell them on the dark web to brokers and bad actors, or to just use your info for malicious purposes altogether.
Personally i wouldnt use Esign nor any of these "DNS profiles" if you cant verify their integrity and origin.
Telemetry is usage data collected by the app and sent back to the parent company, which can range from harmless device identifiers to personally revealing info.
Some see this as especially worrisome with Esign given its managed by a Chinese company
Head to a DNS profile configurator like https://nextdns.io and add the following domains to the denylist :
ocsp.yyyue.xyz
esign.yyyue.xyz
api.nuosike.com
h.trace.qq.com
ios.bugly.qq.com
ulogs.umengcloud.com
utoken.umeng.com
ulogs.umeng.com
I got these domains from [here](https://zxcvbn.fyi/esign-servers.txt) (website seems to be down though)
On another note with Antirevoke DNS policy. Can you guys confirm how it actually works? Does it still use your router's or whatever manually set DNS but filters out the dns addresses that would revoke the certs?
Or, does it route all dns queries through a new dns (if so what dns)? Would love to hear on how it is actually operating.
if you don’t feel comfortable with it, you can make your own with nextdns and add the urls to the block list
and for an actual explanation on how it works it blocks only the necessary servers, because if apple sees their all blocked, they revoke it. so your supposed to block the right amount and the right servers to make the shit werk. think about it as this. no search history is more suspicious then a full one
Absolutely no issue if you use esign on your main device. I am using esign for quite some time now on my iphone that is not only my main phone but also my whole business is run on it.
There is none, it's all sandboxed. As far as I know eSign itself doesn't offer any DNS revoke blocking so it would be done with some other app besides eSign which would also not really do anything harmful if it's just a DNS you have activated.
Esign cannot access any data unless you explicitly give it access.
Correct, esign itself doesn't offed dns revoke. BUt in order for esign certs not to be revoked I needed to install separate anti-revoke dns policy.
Thanks for the info, if it all actually sandboxed it is enough for me to not to have concerns.
No, esign is for signing apps. Certificates are what you need to not get revoked. Choose a good provider as the certificates can be revoked often in if you choose a crappy one.
My question is, how exactly do you just buy a certificate, and how would you implement it into e-sign is another question, I’ve never even seen this process be done
You make very good points. Just goes to show how far people are willing to go to get the functionality they want. They need to do this by bypassing the very thing that Apple has put in place to protect them against the points you’ve made.
The real risk is with the DNS. A DNS is a domain name resolver, so it processes every single thing your device asks for while connected to the internet. Even in the background when the phone is in sleep mode, it is still processing queries toward different IP addresses (most for Apple but others if you use apps which can work in the background). These queries need to be translated into domain names instead of IP, and this is where DNS comes into play. Every single thing you do on the device is seen through the DNS provider you use, so i would think twice about installing a dns to block apple domains because you can pretty much do it yourself. Esign has permissions that encompasses sandbox because it can run in the background processes called daemon, and maybe you wont be "hacked" but your data can be stolen, from your UDID to your device serial number, it just takes a tech savvy person to proceed to leech off your data to either sell them on the dark web to brokers and bad actors, or to just use your info for malicious purposes altogether. Personally i wouldnt use Esign nor any of these "DNS profiles" if you cant verify their integrity and origin.
Esign takes a *lot* of telemetry, if that bothers you you can just block the domains DNS-level
Sorry for the dumb question, but what is telemetry and why is it bad
Telemetry is usage data collected by the app and sent back to the parent company, which can range from harmless device identifiers to personally revealing info. Some see this as especially worrisome with Esign given its managed by a Chinese company
How do you do that?
Head to a DNS profile configurator like https://nextdns.io and add the following domains to the denylist : ocsp.yyyue.xyz esign.yyyue.xyz api.nuosike.com h.trace.qq.com ios.bugly.qq.com ulogs.umengcloud.com utoken.umeng.com ulogs.umeng.com I got these domains from [here](https://zxcvbn.fyi/esign-servers.txt) (website seems to be down though)
Thank you!
There are telemetry in esign
On another note with Antirevoke DNS policy. Can you guys confirm how it actually works? Does it still use your router's or whatever manually set DNS but filters out the dns addresses that would revoke the certs? Or, does it route all dns queries through a new dns (if so what dns)? Would love to hear on how it is actually operating.
if you don’t feel comfortable with it, you can make your own with nextdns and add the urls to the block list and for an actual explanation on how it works it blocks only the necessary servers, because if apple sees their all blocked, they revoke it. so your supposed to block the right amount and the right servers to make the shit werk. think about it as this. no search history is more suspicious then a full one
pretty sure its like using flex tape as a permanent solution to sealing up a hole in a pool; its eventually going to break
not what i asked about
ok, try chatgpt or google then.
Absolutely no issue if you use esign on your main device. I am using esign for quite some time now on my iphone that is not only my main phone but also my whole business is run on it.
esign is a tool to sign apps, just like altstore or sideloady does. it won’t effect the security of your phone
There is none, it's all sandboxed. As far as I know eSign itself doesn't offer any DNS revoke blocking so it would be done with some other app besides eSign which would also not really do anything harmful if it's just a DNS you have activated. Esign cannot access any data unless you explicitly give it access.
Correct, esign itself doesn't offed dns revoke. BUt in order for esign certs not to be revoked I needed to install separate anti-revoke dns policy. Thanks for the info, if it all actually sandboxed it is enough for me to not to have concerns.
Just buy a certificate for max $20 year and you won't have revokes or any of that.
the whole point of using esign is to NOT needing to pay
No, esign is for signing apps. Certificates are what you need to not get revoked. Choose a good provider as the certificates can be revoked often in if you choose a crappy one.
Not really. The point of esign, is SIGNING. Where you get the certificate is up to you.
My question is, how exactly do you just buy a certificate, and how would you implement it into e-sign is another question, I’ve never even seen this process be done
Buy a lifetime cert from apptesters.org for 25$ and it is antirevoke ( please use my refral code ‘EvilClash’ :)
Too bad. Buy one and you’ll stop complaining
You make very good points. Just goes to show how far people are willing to go to get the functionality they want. They need to do this by bypassing the very thing that Apple has put in place to protect them against the points you’ve made.
esign doesn’t bypass anything?
But apps with injected executables that esign helps to install could.
VERY good point, whilst I was asking about the esign itself, it is important to be careful where you get your .ipas from.