Develop Reference

iOS: SSL error - page not loading in WKWebView but loads in Safari

In the app I'm working on, I need to handle 3-D Secure redirects from our payment service provider. These redirects point to a web page of the card issuer that is shown in a WKWebView to the user in the app.
This works all the time except one case where the WKWebView doesn't load for https://3dsecure.csas.cz/ and fails with the following error:
Error Domain=NSURLErrorDomain
Code=-1200
"An SSL error has occurred and a secure connection to the server cannot be made."
What's interesting is that the same URL loads with no problems in Safari or in SFSafariViewController. Even the server's certificate is okay:
I've tried to play around with NSAppTransportSecurity settings in app's Info.plist file, specifically enable NSAllowsArbitraryLoadsInWebContent and NSAllowsArbitraryLoads but it does have no effect.

Forward Secrecy
It turns out that the server for 3dsecure.csas.cz does not support Forward Secrecy: https://www.ssllabs.com/ssltest/analyze.html?d=3dsecure.csas.cz&s=194.50.240.77
Perfect forward secrecy is required by App Transport Security in iOS9 and above for all app connections, including webviews (not including Safari, however)
ATS Debugging
Running the following command in Terminal runs ATS diagnostics and tells more about the problem and how to solve it:
/usr/bin/nscurl --ats-diagnostics --verbose https://3dsecure.csas.cz
ATS Exception in the app
Allowing the webview in the app to connect to a specific server that does not support forward secrecy could be done by adding the following in the Info.plist file:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>3dsecure.csas.cz</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
Not future-proof
This exception needs to be added for every single domain that does not support forward secrecy. Unfortunately, It's impossible to know all the 3-d secure servers in advance as they come as redirects from the payment provider.
What I don't know is if not requiring forward secrecy could be set for any domain, globally, and just within a specific webview, without affecting the whole app.

Fatal error: Unable to get your client ID

I am using the Uber API and I did change my info.Plist but it's not recognizing the name apparently, I passed it the client ID I received from the developer dashboard.
Error in the Debugger:
Unable to locate application icon fatal error: Unable to get your ClientID.
Did you forget to set it in your Info.plist? (Should be under UberClientID key)

Your info.plist does not look right. The fields need to be the keys that the SDK can recognize. So for example, if my client ID was "my_client_id_123" and my redirect URI was "myapp://login" then my .plist would look something like this:
<key>UberClientID</key>
<string>my_client_id_123</string>
<key>UberCallbackURIs</key>
<array>
<dict>
<key>UberCallbackURIType</key>
<string>General</string>
<key>URIString</key>
<string>myapp://login</string>
</dict>
</array>
(I also wouldn't suggest posting your actual Client ID on the internet)

Swift UIWebView not loading http sites

I created a web view controller and it loads https sites(ex: , ) but not http, non ssl secured sites(ex: http://bswd.us, http://www.barretthillins.com). When i do put a hhtp site in there, it does load but just a blank, white web view. How would i need to fix this?

This is due to the App Transport Security, a new protocol introduced by Apple at WWDC 2015. It doesn't allow any connections that are not HTTPS. You can disable it, however it's not recommended as it secures your app.
To disable it you have to edit the App's .plist. Simply right-click the .plist file and select Open As -> Source File and add the following code:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
This will allow HTTP requests.
Hope that helps, Julian.

You can also allow access to http content just through webviews, by adding this instead:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
</dict>

Facebook Actionscript API Login

I am currently having problems using a WebView with this API to login to my app. I feel like I've set up something wrong somewhere, but can't put my finger on it.
Here's the error I'm getting :
Given URL is not allowed by the Application configuration code:191
I've set up my application descriptor like this (the x's are my app id)
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLSchemes</key>
<array>
<string>fbxxxxxxxxxxxxxxx</string>
</array>
</dict>
</array>
<key>CFBundleURLName</key>
<string>xxxxxxxxxxxxx</string>
I don't know if I need to add a setting in my facebook app page, but I've enabled embedded browser login and that's it.
Am I forgetting something here ?
Thanks for the help !

The problem can be caused by many things. I've used this and it helped me a lot:
http://afterisk.wordpress.com/2013/02/26/first-free-facebook-single-sign-on-sso-adobe-air-native-extension-for-android/
It important to follow almost every step as there are multiple properties in Facebook that you must set.
Second, check this SO: Facebook API error code 191
I don't know what's the url that you open - it's best to get it as login url from FB.
I hope that helps and will solve your problem :)

Getting a device UDID from .mobileconfig

I'm trying to write function similar to http://whatismyudid.com/ that, then approved, will return the users UDID and store it to a database for future reference with that user.
I have written a .mobileconfig xml doc that opens in the Profile Installer just fine but when I tell it to install the profile it responds with [alert] Invalid Profile but no alert body. No description, no code, no help.
I'm new to the mobile configuration game so any help would thrill me.
Here is my configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<dict>
<key>URL</key>
<string>http://apps.mortlabs.com/device/retrieve.php</string>
<key>DeviceAttributes</key>
<array>
<string>UDID</string>
<string>IMEI</string>
<string>ICCID</string>
<string>VERSION</string>
<string>PRODUCT</string>
</array>
</dict>
<key>PayloadOrganization</key>
<string>MortLabs.com</string>
<key>PayloadDisplayName</key>
<string>Profile Service</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>B958E359-34C2-42F4-BD0C-C985E6D5376B</string>
<key>PayloadIdentifier</key>
<string>com.mortlabs.profile-service</string>
<key>PayloadDescription</key>
<string>This temporary profile will be used to find and display your current device's UDID.</string>
<key>PayloadType</key>
<string>Profile Service</string>
</dict>
</plist>
The profile is initialized by navigating to http://apps.mortlabs.com/device/enroll.php with mobile safari

I found that by using the above that Apache was being talked to by the Ipad/Iphone - The post by Kyle2011 at https://discussions.apple.com/thread/3089948?start=0&tstart=0 filled in the rest of the solution.
Basically at the bottom of the retrieve.php page you need to redirect the browser to a directory by using a line similar to the following:-
header("Location: https://www.example.com/enrolment?params={$params}");
Where enrolment is a directory - this then calls the DirectoryIndex (typically index.php) which can then display stuff to your user.
To populate the $params variable you need the following line at the top of your retrieve.php script
$data = file_get_contents('php://input');
You can then parse the $data string to get what you need (try file_put_contents("data.txt", $data); or Kyle2011's example)
I also changed the Payload UDID to something different by using udidgen in a terminal on a Mac rather than just using whatismyudid.com's.
Update: From iOS 7.1 some of the files (the .plist IIRC) need to be served over https:// - they will fail to install if everything is served over http:// - probably best to serve everything including the .ipa over https:// to ensure future changes on Apple's side don't cause a problem.

Note about the last page ( FOLDER ).
If you want to use a page script for final redirection in place of a folder.
you can change this :
header("Location:
https://www.example.com/enrolment?params={$params}");
by
header("Location:
https://www.example.com/enrolment.php?params={$params}", true, 301);
Source : header function on php.net manual
it's work !

Try setting the URL to an address without .php extension. This solved the problem for me.
Now my only problem is that I can't find out how to retrieve the data sent from the iOS device to my server.
It does not seem to be in the $_POST variable.

The error you're getting is because iOS expects your profile service URL (the one it sends its UDID to) to return a configuration profile (i.e. a .mobileconfig file). I currently capture device UDIDs without returning this profile; my devices generate the alert you describe but the data is on my server.
For reference, here's the (very) simple PHP file I use to capture the data:
<?php
// set file to write
$file = 'device_data/data.p7s';
$fp = fopen($file, 'w') or die('Could not open file!');
fwrite($fp, $HTTP_RAW_POST_DATA) or die('Could not write to file');
fclose($fp);
?>
The key here is the use of the $HTTP_RAW_POST_DATA variable to capture the HTTP request body exactly as sent, without attempting to parse it into the usual name/value pairs. I'd suggest reading the documentation at this point, but it really doesn't tell you much.
Security tip: whatever the user sends in the request body, you're writing to a file on your server. If the user decides to send a shell script, PHP file, or other executable content, then visits the URL of the file you create, they can execute the code the just uploaded on your web server. So, make sure the file you write to can't be accessed via HTTP! (A .htaccess file would do the trick, or write to somewhere outside the web root.)