I am sorry for the spoiler in the title. But we discover that the iOS extensions do not work properly after wrap an app with MobileIron and we did not found any information about it on MobileIron documentation and neither on Internet. Because of that we choose to use this title in order to help other developers that have the same issue that we had.
MobileIron is a MDM (Mobile device management). A platform that allows to distribute apps inside a company and also add to that apps an extra security layer (passcode, remote wipe, secure tunneling…).
Is one of the most used MDM.
At this time we found that a mobile app wrapped with the Mobil Iron Wrapper that use “Secure Tunneling” to access to a internal server have problems.
If we use the main app it works fine and the app can access to the internal network but is we try to use the Share In extension the app can not access to the internal network.
Using a proxy (Charles or Mitproxy) we saw the network request and we discover that the Wrapper of MobileIron change the URL of the request on the fly.
If the app have to connect with https://internal.company.com (internal server not accessible from internet) the URL is changed to https://sentry.company.com (external server) that it is the MobileIron server who make the tunneling. Because of that all the request that have to go to https://internal.company.com first at all pass for https://sentry.company.com and are redirected to https://internal.company.com
But on the Share In extension it does not happens. The URL never change and always the app tried to connect with https://internal.company.com. So the request never comes to their destiny. Also we saw that the Passcode was never asked on the Share In extension. Because of that we thought that the Wrapper did not wrap the extensions.
With all those information we wrote to the MobileIron support team and they confirmed our theory.
The MobileIron Wrapper do not wrap the extensions because the extension can not read the policies. When we open the wrapped app this app automatically open Mobile@Work that it is a MobileIron app that read the policies and apply it on the wrapped app.
When we use an extension that “flip” between apps it is possible because the extensions work in a different process so MobileIron can not open Mobile@Work and come back to the extension.
The extensions use to have small functionalities be that functionalities could allow to a user access to restricted information so it is very important to know it in order to not have a security issue on our wrapped apps.