App On The Go
Log in
Free tool · no signup · runs entirely server-side

.mobileprovision
decoder.

Drop an iOS .mobileprovision file to see what's inside. Team name & ID, App ID, entitlements, expiration date, every registered UDID, and the signing certificates — all the data Xcode shows you in Signing & Capabilities, without opening Xcode.

File is processed in memory and not stored. The decoded values stay on this page.

What you'll see

  • Profile type — Development / Ad-hoc / App Store / Enterprise (auto-detected from entitlements + devices)
  • Team & App ID — Team name, Team ID, full application-identifier
  • Validity — created date, expiration date, days remaining
  • Capabilities — APS environment, app groups, keychain groups, get-task-allow
  • Registered UDIDs — every device that's been added to this profile
  • Developer certs — common name, team OU, and certificate validity from the embedded X.509 chain
Provisioning profile 101

What's actually inside a .mobileprovision file?

A provisioning profile is Apple's way of binding three things together: which app (App ID), which devices (UDIDs), and which developer (signing certificate). Without a matching profile, iOS refuses to launch a sideloaded app.

The file itself is a PKCS#7-signed plist. Apple signs the inner XML so iOS can verify it came from Apple's authority and hasn't been tampered with. The plist itself isn't encrypted — you can extract it with security cms -D -i profile.mobileprovision on macOS, or by scanning for the <?xml marker (which is what this tool does).

The four profile types

  • Development — for daily Xcode runs to a connected device. Lists specific UDIDs, has get-task-allow = true so debuggers can attach.
  • Ad-hoc — for distributing to a list of testers (up to 100 UDIDs per device type per year). No debug attach. Use this with App On The Go to share builds.
  • App Store — for submitting to App Store Connect. No UDIDs, no debug.
  • Enterprise (in-house) — for companies on the Apple Developer Enterprise Program. ProvisionsAllDevices = true, no UDID list — runs on any device that trusts the enterprise certificate.

Most common reasons to inspect one

  • "Why won't this build install on my iPhone?" — open the embedded profile, confirm the tester's UDID is in the list.
  • "When does this expire?" — profiles last 1 year max; an expired profile means the app refuses to launch even though it installed fine.
  • "Who signed this?" — confirm the certificate's Common Name matches the developer who's supposed to be shipping the build.
  • "Are push notifications enabled?" — check the aps-environment entitlement.
  • "What App ID is this profile bound to?" — the application-identifier tells you, including the team prefix.

Privacy note

The UDIDs in a development or ad-hoc profile are PII — they uniquely identify specific physical iPhones and iPads. Don't post a decoded profile publicly; treat the UDID list the way you'd treat a list of email addresses.

This tool processes the file entirely in memory on our server. Nothing is saved; the decoded result lives only on this page in your browser.

Got the right profile? Ship the IPA.

Once the UDIDs are registered and signed in, App On The Go gives you an OTA install link those exact devices can tap.

Share an IPA Find a tester's UDID