video doesnt load in wkwebview using Secure CocoaHTTPServer - ios

Below snapshot has 2 wkwebviews in the iOS app.
Upper part - wkvebview1: loads html page from locally hosted secure CocoaHTTPServer on port 51092.
Lower part - wkvebview2: loads http url from locally hosted CocoaHTTPServer instance on port 51091.
Images loads fine in both wkwebviews. Not able to load video with secure webserver.
Is there any known limitation for wkWebview in iOS10 for video using secure webserver?
Sample iPhoneHttpServer Github link

SSL/TLS security requires a certificate that's valid for your server's hostname; by default, a WebView will not load content from a TLS server that cannot present a valid certificate. This makes secure mode for the HttpServer class essentially useless, as iPhones do not have stable public hostnames, and it is impossible to obtain a valid certificate for localhost.
In any case, enabling secure mode on a server running locally is hardly necessary; traffic to that server is local to the device, and cannot be intercepted.

Related

Accessing local computer in browser with company domain suffix

I am running web server for my application (Angular) on my work laptop and whenever I want to access it from my laptop I have to go to https://localhost.company.com:8000/ so that my login cookies are sent to my local proxy server that communicates with development server. This works fine, but I need to access this local server from iPhone devices, but it seems that they don't recognize URL as local IP with suffix. So when I enter https://192.168.1.100.company.com:8000/ it won't find the server. It will find the server if I omit the .company.com, it will load the index file served by server, but it won't send cookies to my proxy endpoint and therefore the app is not working.
Is there a way to access this local server with cookie sending on iPhone/iPad devices?

Figuring out to set up HTTPS

I'm a relatively new programmer to backend security so very much in the dark about how to set up HTTPS. I'm currently writing an IOS app that is sending http requests to my public EC2 backend domain, however I'm trying to transition this to HTTPS. Right now the backend is running on the developmental Flask server using HTTPS with a self signed certificate. However the problem is that on the IOS app side, it rejects this as invalid so I'm unable to test HTTPS dependant features. I tried to use the domain exception with the infoplist and ip.xip.io but it still complains that someone could be pretending to be this address. Could someone list in a very systematic way how I should approach building this out,i.e are there any free CA's, do I need a cert from a CA, and how to go about properly connecting the app and backend with HTTPS using my ec2 public ip.
Perhaps the iOS app will authenticate properly using a free community certificate. Investigate free certificate authorities, like letsencrypt. There are several. These work like the commercial CAs such as GoDaddy.
Actually the easiest solution was to just use Ngrok

Creating HTTPS server in iOS device

My requirement is running a HTTPS server on the device it won't connect to the external clients. Both client and server is my application only.
For example, if there is a request https://myip/getUserData from my app, my app fetch information from core data and returns to the client(that is also my app)
I was able to create an HTTP server in my app following the below link. but I want the same in HTTPS. That means to run the HTTPS server.
http://www.cocoawithlove.com/2009/07/simple-extensible-http-server-in-cocoa.html

How can a client app using HTTPS be tested for protection against a MITMA?

I have an iOS client app which connects to a server using HTTPS.
I've added code in the client to verify the identify of the server.
How can a tester testing this feature test that it is now secure, how can they for example create a MITM situation and check that the client rejects connects etc.?
I've tried googling for how to do this but haven't had much luck.
Can it be done using tools like Charles and proxies etc. or is messing around with a wireless router and having detailed knowledge necessary?
This might be over simplification for your solution, but concepts might help.
A web browsers extracts the name of hosts from embedded certificate and do a comparison of host name that we're trying to connect with. If validation fails, we usually see a security warning. For ex: we can connect with facebook by either typing https://www.facebook.com or by typing https://173.252.100.16/. When we choose second option, we get a security warning.
Your program must be using SSL client socket to connect with HTTPS server. The socket must be having capability to extract the hostname from the embedded certificate. Once you get that, compare that with valid HOST NAME that your program is trying to connect with. If it matches, let request proceed, If not, abandon that session.
To re-create MITM, your web server can use a self signed certificate that can be issue to whatever host name you want, but the IP of server could be 127.0.0.1 (for example). Since there is a mismatch between the host name and actual IP, we can probably simulate the MITM situation.
I'm assuming that digital certificate can't be forged in this case.

HTTP live stream over https

I'm just having a problem with understanding if I can get Apple HTTP live stream working over HTTPS.
I want to establish a https connection between a apache server holding the segmented media files and a ios client, be able to stream content that way. i tried it with and without certificate (including a intermediate in SSLCertificateChainFile) but nothing works. all is fine when i use http, but if I switch to https it doesn't work.
does anybody have a running linx configuration for that?

Resources