In production we will use a REST web service secured with SSL (HTTPS) while in development we're not using SSL (HTTP).
To allow HTTP communication we've configured our development hosts with NSTemporaryExceptionAllowsInsecureHTTPLoads set to true.
Is it considered acceptable to ship apps with this setting or is there a better way to do this? We weren't sure if Apple would object to this configuration.
Went with Roman's suggested approach and enabled ATS for debug but disabled it for all release builds. https://stackoverflow.com/a/32704702/47281
Related
While applying an iOS app developed by me to FUT. They were able to intercept, view and modify all traffic between the app and the server even though the traffic was sent over SSL.
A selfsigned certificate was installed on the phone prior to testing. The app traffic was then redirected to a proxy server which presents the self-signed certificate.
In order to bypass the SSL Pinning, the team has hooked on the runtime of the application (process) and have injected code on runtime, which has disabled the function which checks for the SSL Pinning to be made with the corresponding server.
In case this help. I am using Alamofire 4.7.2, Moya 11.0.2
I have no idea about how to do the ssl pinning, please help.
I'm a relatively new programmer to backend security so very much in the dark about how to set up HTTPS. I'm currently writing an IOS app that is sending http requests to my public EC2 backend domain, however I'm trying to transition this to HTTPS. Right now the backend is running on the developmental Flask server using HTTPS with a self signed certificate. However the problem is that on the IOS app side, it rejects this as invalid so I'm unable to test HTTPS dependant features. I tried to use the domain exception with the infoplist and ip.xip.io but it still complains that someone could be pretending to be this address. Could someone list in a very systematic way how I should approach building this out,i.e are there any free CA's, do I need a cert from a CA, and how to go about properly connecting the app and backend with HTTPS using my ec2 public ip.
Perhaps the iOS app will authenticate properly using a free community certificate. Investigate free certificate authorities, like letsencrypt. There are several. These work like the commercial CAs such as GoDaddy.
Actually the easiest solution was to just use Ngrok
I am trying to enable http2 protocol on a Azure Web app, MVC application without any luck. The tutorial is simple just activate the 2.0 in Application settings of the portal, Http2 online tests states that the http2 protocol is enabled, no requests is on http2.
Https is enabled, minimum tls version set to 1.2... any ideas on what can go wrong?
It seems that an antivirus on my computer was the root cause for all the requests still being on the http. After i disabled it the requests were, as expected on http2.
I am using a single https static URL in my iOS application. I want to secure that using ATS. I am confused which exception should be used in .plist file.
1-NSIncludesSubdomains
2-NSExceptionAllowsInsecureHTTPLoads
3-NSExceptionRequiresForwardSecrecy
4-NSExceptionMinimumTLSVersion
5-NSThirdPartyExceptionAllowsInsecureHTTPLoads
6-NSThirdPartyExceptionRequiresForwardSecrecy
7-NSThirdPartyExceptionMinimumTLSVersion
Thanks in advance
You don't need to add any flags in ATS to enable secure communication. ATS flags are used to exclude domains from requiring https communication.
Make sure your url you use starts with https and it will connect securely.
Now, there are more advanced things you can do, such as certificate pinning, but that doesn't involve ATS, and I'd recommend using something like Alamofire to help do all that configuration properly.
I'm fairly new to SSL and secure connections in general. What are the major steps required for an iOS app to talk to a server over a secure communications channel?
I'm aware that an SSL certificate will probably be necessary. I'm planning to purchase one from a trusted certificate authority. However I'm not sure if both the app and the server need certificates or if it's just the server. Also I'm not sure how to handle SSL errors. Perhaps there's a library that can help with this like ASIHTTPRequest or similar.
If you are using HTTPS as your protocol for communication and have valid certificates on your server all that should be required is changing your http:// to https:// on your client. For HTTP libraries a very popular option now is AFNetworking. It is a bit better maintained than ASI and has some nice block features not supported by ASI.
As far as SSL errors, it is usually a good idea to present the warnings to end users (through alert views or some other means). They could point to real security attacks (but more likely will point to miss configured or expired certificates).