All websites mention that Passbook passes can be sent by e-mail. But when the pass (generated by our server) is attached to an e-mail, the iOS e-mail client won't open it and write "(null)" instead. The same pass works fine on Android and also has no problems communicating with our web service. Any ideas? Google searches didn't offer any solutions.
Screenshot:
Solved: There were multiple problems:
The authentication token has to be at least 16 characters long
I used the "Apple Inc. Root Certificate" (wrong one) instead of the "AppleWWDRCA" (correct one)
For production the web service needs to use https
You get that when the pass in invalid, most likely due to it being incorrectly signed and/or the pass certificate has expired.
Drag your pass into iPhone Simulator and check the Console app to look for error in the logs.
Related
The bounty expires in 4 days. Answers to this question are eligible for a +250 reputation bounty.
Jugal Thakkar wants to draw more attention to this question.
I have an enterprise Flutter application that needs to launch the login page for the user's Identity Provider (IdP) inside a webview within the app. The IdP supports certificate-based authentication using a certificate present on the user's device (through MDM) to authenticate the user without needing to provide any credentials.
When launching a safari browser to launch this page, it works fine. Safari prompts the user to select a certificate the first time from the ones available and Safari sends it to the server and page successfully proceeds to present the protected resource.
Another requirement is that we need to open the IdP page using a specific user-agent string so that their firewall can be configured to only allow selected apps and not any random Safari page.
Unfortunately, the Safari In-App Browser does not allow overriding user-agent. While using an in-app web view using https://pub.dev/packages/flutter_inappwebview or https://pub.dev/packages/webview_flutter we are unable to get the certificate prompt like the one we see in safari and the communication fails with the following SSL error, with code -1200
An SSL error has occurred and a secure connection to the server cannot be made
When using InAppWebView from https://pub.dev/packages/flutter_inappwebview and accessing the protected site, the onReceivedClientCertRequest handler gets invoked, but I am not sure how to pass the device certificate back in the response. The ClientCertResponse expects a path to the certificate, what should this be?
Is there a way to retrieve the appropriate certificate from the OS's secure storage (keychain?) and send it to the web page? Either Flutter or native iOS code is ok. We are only focusing on iOS for this use case.
I finished setting up the webservice routes according to Apple documentation and I am able to sign and provide passes. Unfortunately I am experiencing the following problem. When I define the webServiceUrl as "https://localhost:5000/wallet/" the signing of the pass works as expected. I am then using the pass in the iOS Simulator where I have enabled the "Allow Http Services" in the developer settings but I am still getting the "An SSL error has occurred and a secure connection to the server cannot be made" error. Trying then to use http instead of https directly in the definition of the webServiceUrl in the pass.json file produces a signing error. Do you know which steps have to be made to be able to test pass updates locally?
The warning is telling you everything you need to know.
Change your webServiceUrl to http://localhost:5000/wallet/. The developer option means that you don't have to use https and the pass should still install on any device with "Allow Http Services" set.
I am debugging network calls of one of the client's application whom code I am not having. The steps I have gone thorough is as below.
1) Install fiddler in a windows system.
2) unable HTTPS decryption.
3) set the system proxy to match the client's country. (USA)
4) install the app on iOS to which is on same network.
5) Installed the Fiddler certificate in phone, added to trusted certificate
6) Applied the manual proxy matching the same internal IP of the windows system. (not the system proxy of USA)
Now when I open the app, I am able to trace the network calls till login page. Also able to detect network call which send the credentials.
But after loading for 5-8 seconds, the app shows "something went wrong, we are unable to serve you"
I am not able to see any trace of my machine IP (internal IP), in network calls being sent. I changed my phones Timezone in case that is the triggering point for stop serving.
Also randomly after 2-3 attempts the following popup comes. I have set the Client Certificate as asked, which was downloaded from http://ipv4.fiddler:8888 .
There are many other apps for which I am able to see the entire network calls but not for this specific one.
Is there any issue in my system settings or the app provider have mechanism to identify man in the middle proxies. Or certificate issues?
Update 1 : I checked the fiddler log and found the below error
HTTPS hand shake to TargetURL failed The exact error was "a call to SSPI failed, see inner Exception, the certificate chain was issued by an authority that is not trusted. is this case if SSL Pinning?
You are mixing up the certificates. Usually the problem is the server certificate, however in your case the problem arises from a client certificate. A SSL client certificate is a optional feature that allows to identify a user based on a certificate + private key instead of username+password. It is often used in companies where each user has a certificate+private key on a smart card.
There are now two possibilities:
The iOS app includes a client certificate+private key and the app developers use this to protect the communication API (a bit similar like an API key). In this case you have to extract the certificate and the private key and provide it to Fiddler. Most likely certificate and private key are the same for every device world-wide and can be found as static resource in the iOS app (potentially obfuscated or somehow protected).
The server asks for a client certificate but providing a certificate is optional. I don't know if Fiddler can handle this situation.
I'm using JMeter's proxy to record the HTTP traffic from a mobile app.
It works fine with non secure HTTP requests, but when I try to make a HTTPS request I get an error: "The certificate for this server is invalid" (see screenshot below).
This is of course expected. If I'm on a PC I can simply click on "accept bad certificate" (or something like that) but this isn't an option for my mobile app (I'm testing amazon's app for example).
Is there a way to get my iPhone (or other mobile device) to accept JMeter's certificate?
Is there another way to do this with a REAL mobile device?
edit:
Some of the answers talk about how to modify my app.
I can't modify the app myself - so I need a solution that doesn't require any app modification.
After some research I found this link:
http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to-ios-ipad-iphone/
Which almost works :)
The comments say that in iOS 6 and up using a MD5 doesn't work, and the default key JMeter is using is MD5.
Any thoughts?
Update Feb 13, 2014:
I had given up on this originally, but recently came across an article about using Charles proxy with a real device to capture SSL traffic by adding a certificate to your iPhone. After following the instructions here it works!
http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/
So now I know a solution IS possible, but I'm still stuck on how to get it to work - now using JMeter 2.11 and iOS 7
Thanks
Ophir
These related questions may be helpful:
iphone: secure restfull server "The certificate for this server is invalid
HTTPS Service is not working
HTTPS post request in IOS
I just happened to write an article on that given the new restrictions on iOS 13. In a nutshell:
Generate a certificate.
Import it into your proxy tool (I used OWASP ZAP).
Import the certificate into iOS and add it as a trusted authority.
Access iOS’ proxy settings and point it to your computer.
Full details in the article link below. Hope you find it helpful.
Best regards,
Andre
https://link.medium.com/gcU2SYZtn4
I have a custom mdm solution running for IOS.
during enrollment, I am using HTTP basic authentication to pass the user name and password to be verified against our db/AD.
if the user is denied access, I send a 401.
however, on the IOS side, it pops up an error that says "safari could not install a profile due to an unknown error". Seems like a pretty bad error where I want it to say access denied.
Also there's an issue that safari decides to cache the credential used, so I don't get a chance to re-enter the user/pass again unless I clear all the cookie/cache data.
Anyone have met this issue before?
Looks to be issue with my code.
I've sent a 401, but actually the specification calls for a WWW-Authenticate header to be sent as well. With that added it, it's working normally now.
Have you considered using a more widely tested MDM solution such as AirWatch? A solution such as this has integration with AD and would be an excellent option for you to evaluate.