iOS: itms-services with proxy authentication - ios

I am using itms-services to install my app over the air. Everything is working fine if I don´t use a proxy. The app installs properly in iOS6 and iOS7.
But if I use a proxy I simply get the message that the app could not be installed. I get no more information. There is also nothing in the device logs. I am sure that the proxy information in the settings are correct.
The proxy uses basic authentication. I used wireshark to have a look at network traffic.
The iPad sends the proxy credentials correctly when requesting the ipa file for installation.
But the proxy still sends an access denied back to the iPad. Once again I am sure that the credentials are correct.
Is it even possible to use itms-services with a proxy that uses proxy authentication? Has someone ever used itms-services with proxy authentication?
I hope someone can help me. Thanks for your help in advance!

It turned out to be a simple problem. Our provider blocked the CA of the server certificate. When the iPad wanted to check if the server certificate is valid it tried to get the root certificate. But the proxy blocked that request. Strange that apple does not give any hint on that in device logs or anywhere else.
So the "proxy authorization required" by the server had nothing to do with the real problem.
The answer to the actual question is: It is possible to use itms-services to install apps OTA with proxy authentication. (We used basic auth in this case?

Related

Misdirected Request happening on Apple devices

An annoying and persistent issue that I've been facing is a "Misdirected Request Error The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection" when carrying out an AJAX request from my front end to the back end. CORS origin has been taken care of. The weird thing is that this issue only occurs with Apple devices (iPhone/Mac Book) on Safari and Chrome. Other Android and Windows devices work seamlessly. I tried purchasing an additional dedicated SSL certificate to my domain which includes two subdomains (the frontend and backend) from GoDaddy.
Any other tips/solutions please?
Issuing a separate SSL certificate for the two sub-domains did the trick. Make sure that the two sub-domains are not grouped under the same certificate.

Network Sniffing/SSL Pinning : Not able to get post through the login page in a mobile app when detecting traffic with Fiddler

I am debugging network calls of one of the client's application whom code I am not having. The steps I have gone thorough is as below.
1) Install fiddler in a windows system.
2) unable HTTPS decryption.
3) set the system proxy to match the client's country. (USA)
4) install the app on iOS to which is on same network.
5) Installed the Fiddler certificate in phone, added to trusted certificate
6) Applied the manual proxy matching the same internal IP of the windows system. (not the system proxy of USA)
Now when I open the app, I am able to trace the network calls till login page. Also able to detect network call which send the credentials.
But after loading for 5-8 seconds, the app shows "something went wrong, we are unable to serve you"
I am not able to see any trace of my machine IP (internal IP), in network calls being sent. I changed my phones Timezone in case that is the triggering point for stop serving.
Also randomly after 2-3 attempts the following popup comes. I have set the Client Certificate as asked, which was downloaded from http://ipv4.fiddler:8888 .
There are many other apps for which I am able to see the entire network calls but not for this specific one.
Is there any issue in my system settings or the app provider have mechanism to identify man in the middle proxies. Or certificate issues?
Update 1 : I checked the fiddler log and found the below error
HTTPS hand shake to TargetURL failed The exact error was "a call to SSPI failed, see inner Exception, the certificate chain was issued by an authority that is not trusted. is this case if SSL Pinning?
You are mixing up the certificates. Usually the problem is the server certificate, however in your case the problem arises from a client certificate. A SSL client certificate is a optional feature that allows to identify a user based on a certificate + private key instead of username+password. It is often used in companies where each user has a certificate+private key on a smart card.
There are now two possibilities:
The iOS app includes a client certificate+private key and the app developers use this to protect the communication API (a bit similar like an API key). In this case you have to extract the certificate and the private key and provide it to Fiddler. Most likely certificate and private key are the same for every device world-wide and can be found as static resource in the iOS app (potentially obfuscated or somehow protected).
The server asks for a client certificate but providing a certificate is optional. I don't know if Fiddler can handle this situation.

iOS8 Simulator: Proxy authentication pop up not being shown

The corporate network which I am using is having "proxy" set up to connect to internet. I made the necessary changes in Network settings in mac and I am able to see websites loading in Safari (I have entered the credentials and saved in KeyChain also), but when I try to access the sites via iOS simulator, the connection fails and asks for authentication but the problem is that no pop-up is being shown so that I can enter the username and pwd. I have seen the pop-ups in iOS6 simulator and it used to work. I would like to know whether I need to do some changes specifically to iOS simulator to get this working?
I tried turning on Settings -> Developer -> Allow HTTP services, this works when you are in an open network (home), but in corporate network auth error is being show in a plain html page and there is no pop-up to enter credentials. I also tried restarting the simulator none of this fixed the issue .
Below is the error
Error Code :407 Proxy Authentication Required. Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209).
Thanks in advance
-anoop
This is mentioned as a known issue in the Xcode 6.1 Release Notes:
iOS Simulator does not support the use of network proxy servers that
require authentication. (14889876)

JMeter - How can I use the proxy with secure mobile pages?

I'm using JMeter's proxy to record the HTTP traffic from a mobile app.
It works fine with non secure HTTP requests, but when I try to make a HTTPS request I get an error: "The certificate for this server is invalid" (see screenshot below).
This is of course expected. If I'm on a PC I can simply click on "accept bad certificate" (or something like that) but this isn't an option for my mobile app (I'm testing amazon's app for example).
Is there a way to get my iPhone (or other mobile device) to accept JMeter's certificate?
Is there another way to do this with a REAL mobile device?
edit:
Some of the answers talk about how to modify my app.
I can't modify the app myself - so I need a solution that doesn't require any app modification.
After some research I found this link:
http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to-ios-ipad-iphone/
Which almost works :)
The comments say that in iOS 6 and up using a MD5 doesn't work, and the default key JMeter is using is MD5.
Any thoughts?
Update Feb 13, 2014:
I had given up on this originally, but recently came across an article about using Charles proxy with a real device to capture SSL traffic by adding a certificate to your iPhone. After following the instructions here it works!
http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/
So now I know a solution IS possible, but I'm still stuck on how to get it to work - now using JMeter 2.11 and iOS 7
Thanks
Ophir
These related questions may be helpful:
iphone: secure restfull server "The certificate for this server is invalid
HTTPS Service is not working
HTTPS post request in IOS
I just happened to write an article on that given the new restrictions on iOS 13. In a nutshell:
Generate a certificate.
Import it into your proxy tool (I used OWASP ZAP).
Import the certificate into iOS and add it as a trusted authority.
Access iOS’ proxy settings and point it to your computer.
Full details in the article link below. Hope you find it helpful.
Best regards,
Andre
https://link.medium.com/gcU2SYZtn4

Implicitly trust SSL certificates in iOS app for private API

I'm working on an iOS app with a rails backend, running on a VPS (via my own domain).
My question is: is it insecure to use a self-signed SSL certificate on my server and ignore the warnings from NSURLConnection while communicating with it, considering that this is a private API which is only accessible via my iOS app?
The safe way to go in this scenario is: Sign it yourself and manually add the certificate to the local certificate database of every system you work from, so you don't need authentication to know it's yours. Sometimes this can be done automatically as easily as checking the box "ignore the warning for this certificate" the first time you connect from each system, which will prevent you from seen it again on that system unless the certificate changes.
This way you won't see the warning again, unless it's somebody else's self certificate you're looking at.
Ignoring the warning by default usually means that if somebody else signs its own certificate and presents it to you, you will go along without even noticing. Not a good idea.

Resources