Hi there:

This is ultimately a question I have about private keys, which I don't fully understand, in the context of outsourcing development of an iPhone app.

I have my own iPhone Dev Program account and will be outsourcing development of an app to a team that has their own Dev Program account. I plan on letting them use their account credentials throughout the initial dev and testing cycle (providing my iPod Touch device ID so I can test too, etc) until the final build, which needs to be tied to my Dev Program account, so I can upload it under my account.

I will not be providing the team with my actual Dev Program login and password, but in order for the team to be able to make me the final App Store ready build for me to upload to the app store using my Dev Program credentials, I will need to share a private key generated on my Mac, for them to install on their machine in order for them to be able to make my final build using a Distribution Certificate, Provisioning Profile, and App ID linked to my account (those will also be generated on my Mac and which I will also share with them for use in generating the final build).

I basically trust the team; but in a worst case scenario, what bad behavior could be done with the shared information, namely the private key?

If at all possible I would attempt to do the final build yourself, it is one of those things you want to make sure goes right and with some things its best to handle it yourself.

If they have access to your key, to my knowledge there is not much they could do. They would need your itunesconnect login and password to even upload the app. If they had this they might be able to do some damage such as changing bank information, uploading apps, looking at sales data ect.

Another vote for doing the final build yourself. Once the contract's ended and you're left with your project, you want to be able to modify and build it yourself for future updates, without having to go back to the dev team in case they're not available, too expensive or otherwise not suitable.

Yep, thirding the build it yourself route. Casey and I did it that way, and from the developer's point of view it worked out great for me. I did all the development and he gave me his device IDs during development, but for the final build he was able to build it himself using his own dev account. I just provided the project to him, clean and ready to rock (minus the actual build of course). I think it keeps things cleaner and separate for him to know he has all the goods later on down the road if needed, plus he doesn't have to worry about me having any of his security info.

Thank you all for the very helpful replies