How to implement SSL Pinning on SFSafariViewController? - ios

In my app, I've set up SSL Pinning on all my REST requests with the help of AFNetworking. This helps prevent MITM attacks. When I test my app using Charles proxy as the "man in the middle", the requests fail as expected. However, this is not the case for my login flow (Oauth 2.0) via SFSafariViewController. That is because ... this process of logging in is unrelated to AFNetworking.
I believe the problem could be solved if there was a way to achieve SSL Pinning on SFSafariViewController.
1) Is there a way to do this? I could not find anything online about this.
2) What are some ways people go about solving this problem? It seems like it is a security issue.

To me the following comment makes sense.
there is no way to do any SSL pinning in SFSafariViewController, for two reasons:
The SFSafariViewController class does not provide any API for
customizing SSL validation and handling authentication challenges.
When used, the SFSafariViewController is actually run in a separate
process and the app's code has no access to it at all. Hence
swizzling does not affect the SFSafariViewController as it only
happens in the app's process.
Reference:-
https://github.com/datatheorem/TrustKit/issues/163

You could use WKWebView (WebKit) and create your own version of SFSafariViewController that has your pinning for where you use SFSafariViewController, but you can not certificate pin in SFSafariViewController. If you are using SFSafariViewController for downloading configuration profiles, then you are stuck, no cert pinning allowed and WKWebView will not "store" configuration profiles for installation, only Safari.app and SFSafariViewController can do that, to my knowledge.

Related

Configure browser cache in SFSafariViewController using Swift iOS

In my application I am implementing a feature where for some part I need to open my website using SFSafariViewController. For this I don't want the user to login again in the web application as well, so before I open the SFSafariViewController I want to pass some token, mail and other required information. So is this feasible and would allow me to use browser cache.
SFSafariViewController is very limited in what you can configure, as seen by the documentation: https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller. Apple intentionally keeps cookies and safari configuration separate from apps that are using it for security and privacy reasons.
I don't know if this is exactly what you're seeing, but I faced a similar issue where, if a user logged in via SFSafariViewControler, then logged out (not using SFSafariViewController), then logged in again, it wouldn't ask for a login/pass because it was still cached in the browser.
Pretty much the only 2 options for this are:
Have the logout flow take place within SFSafariViewController so that you can clear the cookies that way.
Apple has a new auth flow class ASWebAuthenticationSession (docs here) which has a new property you can set called prefersEphemeralWebBrowserSession which essentially opens the browser in private mode. This keeps any cookies from being stored in the browser. The only downside to this, is the prefersEphemeralWebBrowserSession property is only available in iOS 13+.
If this is the same issue you're facing and you can limit your app to iOS 13+, then I would suggest the ASWebAuthenticationSession route, otherwise you may need to find another solution.

Ionic app on iOS requires turning off Safari setting "prevent cross-site tracking"

We have an Ionic 4 (Cordova/Angular) app that makes requests to a REST API backend with HttpClient, using cookies for authentication.
The app runs fine on Android (which apparently proves that we've configured CORS correctly). We are now in the process of adapting it for iOS. We have found that when the Safari setting "prevent cross-site tracking" is turned on (which it is by default), WkWebView ignores the Set-Cookie header that is sent by the backend in response to a successful login request, causing all subsequent requests to fail.
Is there a way to avoid the problem without requiring all users to turn off this setting (which is definitely not an option)? We have considered switching to JWT authentication, but I'm afraid that it won't solve the problem, as our backend expects JSON, and according to the docs, "Content-Type: application/json" headers also cause the request to be considered as a CORS request.
Additionaly, we have come across another problem which seems to be related. The app won't run on the iOS simulator on macOS - the Set-Cookie headers are ignored, even if we switch the above setting off! Meaning we can debug the app only on a physical device, which is quite a hindrance.
After several hours of searching on the web, and not finding any similar complaints, I have the feeling that I'm missing something obvious.
This library has come to my rescue: ionic-native-http-connection-backend
Quoting from the docs:
This library adds #ionic-native/http (when available) as a connection backend to Angular's Http and HttpClient
Motivation
Now that Apple promotes/requires the use of WKWebView instead of the deprecated UIWebView, Ionic has switched newly created apps over via their cordova-plugin-ionic-webview (and Cordova offers it via their cordova-plugin-wkwebview-engine). That causes requests that used to work just fine to fail with CORS errors.
The real solution of course is to fix the CORS issues server side - but this may not be possible with e.g. 3rd party APIs.
Even though there is a way to solve CORS issues without changing server's response header by using #ionic-native/http, this only works on device and doesn't provide all the power of Angular's Http and HttpClient.
How it works
The library provides a HttpBackend interface for Angular's HttpClient
This HttpBackend interface tries to use #ionic-native/http whenever it is possible (= on device with installed plugin)
If HttpBackend finds it impossible to use #ionic-native/http, it falls back to standard Angular code (HttpXhrBackend, which uses XmlHttpRequest)
This strategy allows developers to use Angular's HttpClient transparently in both environments: Browser and Device.
Although I still find it strange, that the developer only mentions the library's intended use for situations where CORS can't be configured server-side, but not the 2 problems that it solves for me, namely 1) having to require all users to allow cross-site tracking, and 2) not being able to use the simulator.

do ios webviews check urls for malware before opening them?

If I open arbitrary urls in my ios application, will I have to do my own malware/phishing/etc... checks? Does the webview (implicitly) do any work on my behalf (or would i have to switch a setting somewhere?)?
In short: no.
UIWebView only has some restricts about javascript same-origin policy, and iOS has it's own SSL Certificates Validation (TLS Chain Validation) which can help UIWebView a little bit safe.
If you want to check malware, phisinng, ... you're free to do it.
No, it uses Webkit under the hood, which does not check for malwares, but it may give you only hints on expired certificates, self-signed certificates or invalid ones.
You should implement a request filter, which performs better SSL checks for valid certificates and uses some third-party anti-malware / dangerous domains and keep them out. In that case, you just ignore "that" request.

iOS: itms-services with proxy authentication

I am using itms-services to install my app over the air. Everything is working fine if I don´t use a proxy. The app installs properly in iOS6 and iOS7.
But if I use a proxy I simply get the message that the app could not be installed. I get no more information. There is also nothing in the device logs. I am sure that the proxy information in the settings are correct.
The proxy uses basic authentication. I used wireshark to have a look at network traffic.
The iPad sends the proxy credentials correctly when requesting the ipa file for installation.
But the proxy still sends an access denied back to the iPad. Once again I am sure that the credentials are correct.
Is it even possible to use itms-services with a proxy that uses proxy authentication? Has someone ever used itms-services with proxy authentication?
I hope someone can help me. Thanks for your help in advance!
It turned out to be a simple problem. Our provider blocked the CA of the server certificate. When the iPad wanted to check if the server certificate is valid it tried to get the root certificate. But the proxy blocked that request. Strange that apple does not give any hint on that in device logs or anywhere else.
So the "proxy authorization required" by the server had nothing to do with the real problem.
The answer to the actual question is: It is possible to use itms-services to install apps OTA with proxy authentication. (We used basic auth in this case?

JMeter - How can I use the proxy with secure mobile pages?

I'm using JMeter's proxy to record the HTTP traffic from a mobile app.
It works fine with non secure HTTP requests, but when I try to make a HTTPS request I get an error: "The certificate for this server is invalid" (see screenshot below).
This is of course expected. If I'm on a PC I can simply click on "accept bad certificate" (or something like that) but this isn't an option for my mobile app (I'm testing amazon's app for example).
Is there a way to get my iPhone (or other mobile device) to accept JMeter's certificate?
Is there another way to do this with a REAL mobile device?
edit:
Some of the answers talk about how to modify my app.
I can't modify the app myself - so I need a solution that doesn't require any app modification.
After some research I found this link:
http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to-ios-ipad-iphone/
Which almost works :)
The comments say that in iOS 6 and up using a MD5 doesn't work, and the default key JMeter is using is MD5.
Any thoughts?
Update Feb 13, 2014:
I had given up on this originally, but recently came across an article about using Charles proxy with a real device to capture SSL traffic by adding a certificate to your iPhone. After following the instructions here it works!
http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/
So now I know a solution IS possible, but I'm still stuck on how to get it to work - now using JMeter 2.11 and iOS 7
Thanks
Ophir
These related questions may be helpful:
iphone: secure restfull server "The certificate for this server is invalid
HTTPS Service is not working
HTTPS post request in IOS
I just happened to write an article on that given the new restrictions on iOS 13. In a nutshell:
Generate a certificate.
Import it into your proxy tool (I used OWASP ZAP).
Import the certificate into iOS and add it as a trusted authority.
Access iOS’ proxy settings and point it to your computer.
Full details in the article link below. Hope you find it helpful.
Best regards,
Andre
https://link.medium.com/gcU2SYZtn4

Resources