PTKDMobile App Security
Knowledge base / PTKD-IOS-WILDCARD-ID
low M8 MASVS-CODE-2 static analysis PTKD-IOS-WILDCARD-ID

Wildcard application identifier

The provisioning profile uses a wildcard application-identifier (TEAMID.*), which is over-broad and typically a non-production signing setup.

How it's exploited

A wildcard application-identifier (TEAM.*) means the profile was generic: capabilities like keychain-access-groups get broader matching than intended, and keychain items can be shared wider than designed.

Why it matters

Loosened identity boundaries between your apps; explicit app IDs exist to prevent exactly this.

How to fix it

  1. Create an explicit App ID for the app and re-sign with a profile bound to it.
  2. Review keychain-access-groups afterwards; tighten to the exact group list.

References