I'm currently developing my app, developer and a friend told me that have saw all the http requests with the parameter (AFNetworking), how to hide this? And see how these requests? Thank you
Your app should connect to web services over an HTTPS connection. And Apple will require HTTPS connections for iOS apps by the end of 2016.
Check Apple's documentation : Using Networking Securely
Related
Apple rejected an app because it didnt work on their IPv6 network. I've managed to test this on my end using an ipv6 only address and can see that the third party API i'm using is unreachable when using an IPv6-only address.
Any time i try to use the API I get the response
A server with the specified hostname could not be found
The same thing happens if I manually go the URL in safari, whereas other IPv6-ready sites like gmail etc work.
So my question is do I need to get the developers of the API I'm querying to update their servers to support IPv6 in order to get this working, or is there something I should be doing on the app side in order to make this work?
There's no need to change any external servers. It's all about the client. If by this "third party API" you mean they have a library which you include into your app, then perhaps they are doing something in their code that is not working correctly; if this is the case, then you need to ask them to fix their client library.
I have set up an API endpoint on my Digital Ocean VPS to receive incoming SMS to my Twilio number. It was working.
Then I started using CloudFlare. I believe that it stopped working after that, but since I receive SMS so infrequently, I am not absolutely sure. Although Twilio's website indicates that they sent an HTTP request and received a 502 Bad Gateway error, my server logs never registered any incoming requests from Twilio. I know that my API endpoint works because when I manually enter the API endpoint in my Chrome browser, my server receives it and logs the GET request as expected.
I tried asking Twilio's support for the full details of the supposedly failed request, but they refuse to give it to me.
Does anyone know which setting in CloudFlare to adjust that may fix this? I've tried turning off and reducing all the security settings as I thought it may be a firewall issue. How else can I go about debugging this problem without turning off CloudFlare completely (I need it on for other purposes)? I will accept the first answer or advice that leads to the solution. Thanks!
EDIT: this is the response from CloudFlare
One thing to ask them, is whether they support the SSL configuration
of Universal SSL - which uses SNI and ECDSA. We have seen instances of
3rd party services not supporting one or both of these, and therefore
failing to make calls via HTTPS.
Universal SSL support is defined by the client machine's support for
two newer features:
Server Name Indication (SNI) Elliptic Curve certificates (ECDSA) What
browsers work with Universal SSL?
If you need broader browser compatibility for older browsers/operating
systems, our Pro plan plan provides this.
Also, if you want to get full information about what your browser
supports, this site will run a check on your browser and tell you the
support your browser has for protocols, ciphers and SNI:
https://cc.dcsec.uni-hannover.de/
Twilio developer evangelist here.
Good news, Twilio now supports SNI! So, this should no longer be a problem.
You might want to check Server Name Indication (SNI) Twilio does not support this, so as a result you get 502 Bad Gateway. Same thing was happening to me. I was able to fix this using Cloud flare Pro see this post
Twilio - TwiML with SNI Support
I want to record web requests using fiddler of an iOS7 native app which using https protocol (with trusted certificates) to communicate with server. I could able to record the requests and after Https decryption option disabled and its worked fine. When Https decryption option enabled app shows invalid/untrusted certifificate alert and cannot proceed even after installing fiddler certificate in iOS.
Question is,
Is there any way to record Https request/response of iOS7 app using fiddler by imitating any other certificate as trusted certificate or anyother way to do that? any suggestions? any other tools? I got another solution from here but it was not worked.
Thanks in advance
You need to use the Fiddler Certificate Maker add-on to generate certificates that iOS is willing to trust.
See http://blogs.telerik.com/fiddler/posts/12-12-21/using-fiddler-with-apple-ios-devices for more information.
Also keep in mind that some iOS applications (like the AppStore) use a technique called "Certificate Pinning" which means that you cannot decrypt their traffic seamlessly unless you jailbreak the device.
I'm developing a corporate web application.
The devices it is supposed to run on devices that have MobileIron and a corporate profile installed.
The app uses a corporate authentication service that authenticates based on client certificates. When I open the app in the Safari browser - the authentication is working properly. But in order to provide some of the features the app had to be wrapped in a PhoneGap shell. And the authentication has stopped working.
As far as I understand it is due to the fact that the UIWebView is unable to get the certificates from the device.
Is there any way to entitle it to or implement the handling myself?
Using MobileIron AppConnect, you can distribute certificates directly into those apps (instead of to the system keychain, which is only accessible to the built-in apps like Safari). The app can then be coded to provide that certificate to the web server when challenged. This is pretty easy to do.
http://support.mobileiron.com/appconnect will have the details.
I have to call payment gateway API from iOS code. Problem is it needs merchant credentials and I feel insecure embedding the merchant credentials in code. If someone somehow reverse engineer the code and get the credentials then the client is dead. Any advice?
I found this post Does Apple modify iOS application executables on apps submitted to the App Store? which says that app binaries are encrypted by Apple be default. Does it mean I can safely embed the credentials in code?
NO! Instead of adding the credentials to iOS app you should think about setting up a server which handles the interaction with the API, you are talking about, and let the app only interact with your server. So you can store the API key on your server and can limit whats possible by the user on server side (which will be much harder to abuse).