I'm using JMeter's proxy to record the HTTP traffic from a mobile app.
It works fine with non secure HTTP requests, but when I try to make a HTTPS request I get an error: "The certificate for this server is invalid" (see screenshot below).
This is of course expected. If I'm on a PC I can simply click on "accept bad certificate" (or something like that) but this isn't an option for my mobile app (I'm testing amazon's app for example).
Is there a way to get my iPhone (or other mobile device) to accept JMeter's certificate?
Is there another way to do this with a REAL mobile device?
edit:
Some of the answers talk about how to modify my app.
I can't modify the app myself - so I need a solution that doesn't require any app modification.
After some research I found this link:
http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to-ios-ipad-iphone/
Which almost works :)
The comments say that in iOS 6 and up using a MD5 doesn't work, and the default key JMeter is using is MD5.
Any thoughts?
Update Feb 13, 2014:
I had given up on this originally, but recently came across an article about using Charles proxy with a real device to capture SSL traffic by adding a certificate to your iPhone. After following the instructions here it works!
http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/
So now I know a solution IS possible, but I'm still stuck on how to get it to work - now using JMeter 2.11 and iOS 7
Thanks
Ophir
These related questions may be helpful:
iphone: secure restfull server "The certificate for this server is invalid
HTTPS Service is not working
HTTPS post request in IOS
I just happened to write an article on that given the new restrictions on iOS 13. In a nutshell:
Generate a certificate.
Import it into your proxy tool (I used OWASP ZAP).
Import the certificate into iOS and add it as a trusted authority.
Access iOS’ proxy settings and point it to your computer.
Full details in the article link below. Hope you find it helpful.
Best regards,
Andre
https://link.medium.com/gcU2SYZtn4
Related
An annoying and persistent issue that I've been facing is a "Misdirected Request Error The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection" when carrying out an AJAX request from my front end to the back end. CORS origin has been taken care of. The weird thing is that this issue only occurs with Apple devices (iPhone/Mac Book) on Safari and Chrome. Other Android and Windows devices work seamlessly. I tried purchasing an additional dedicated SSL certificate to my domain which includes two subdomains (the frontend and backend) from GoDaddy.
Any other tips/solutions please?
Issuing a separate SSL certificate for the two sub-domains did the trick. Make sure that the two sub-domains are not grouped under the same certificate.
I am writing an iOS app that hits one of our own web servers to leverage data. The IIS web server is publicly-accessible, has valid cryptography certificates, and uses TLS 1.2. To my knowledge, all that is up to snuff with App Transport Security. When making web requests in the app, the request times out, but more interestingly, this message is logged "NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)".
This IIS server happens to Accept X509 client certificates for a separate use case that does not involve the mobile app. Changing the setting to Ignore results in the iOS app hitting the server fine. I assume the timeout occurs because the server is prompting the app for a client certificate and it doesn't just respond that it doesn't have one. Note, I don't have the client certificates set to Require. I am not sure how to have the iOS app play nicely and just carry on when prompted by the server for a client certificate.
Is there a way to get this to work in iOS while allowing the IIS server to still Accept client certificates? I don't want to diminish ATS by adding hacky exclusions to info.plist.
I don't think it's relevant, but I am developing the iOS app in Xamarin.IOS in C#. A request goes something like this:
using (var client = new WebClient())
{
client.Headers.Add(Constants.RequestHeaders.RequestId, nonce.RequestId.ToString());
client.Headers.Add(Constants.RequestHeaders.Signature, Convert.ToBase64String(nonce.DigitalSignature));
client.Headers.Add(HttpRequestHeader.ContentType, "application/json");
var resultJson = client.UploadString("https://foo.com/Api/Register", json);
}
EDIT:
I was able to resolve this issue by using the library ModernHttpClient available via NuGet. The API site accepts client certificates, but does not require them. In most browsers, this results in a one-time prompt by the browser asking you to specify the cert you'd like to use. However, in iOS, making a programmatic web request by default does not bring up a prompt (of course) nor does it inform the server it does not have a cert to provide. Hence, the request simply timed out. With ModernHttpClient, I found a way to set this behavior to automatically resolve.
var handler = new NativeMessageHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Automatic;
using (var client = new HttpClient(handler))
{ ...
Now it works fine. I'd prefer to not have to include a library just for this very specific purpose, but it works. Perhaps this specific functionality could be distilled into a few lines of code without using the library? Regardless, I'm thankful for ModernHttpClient solving this issue; it's really hacky to change server behavior just to support an iOS quirk.
Can you try change iOS Build setting.
change SSL/TLS implement use * Apple TLS *
change HttpClient implementation use * NSUrlSession *
I had similar problem and using HttpClient to call our public Https API, above setting fixed the issue.
I am using itms-services to install my app over the air. Everything is working fine if I don´t use a proxy. The app installs properly in iOS6 and iOS7.
But if I use a proxy I simply get the message that the app could not be installed. I get no more information. There is also nothing in the device logs. I am sure that the proxy information in the settings are correct.
The proxy uses basic authentication. I used wireshark to have a look at network traffic.
The iPad sends the proxy credentials correctly when requesting the ipa file for installation.
But the proxy still sends an access denied back to the iPad. Once again I am sure that the credentials are correct.
Is it even possible to use itms-services with a proxy that uses proxy authentication? Has someone ever used itms-services with proxy authentication?
I hope someone can help me. Thanks for your help in advance!
It turned out to be a simple problem. Our provider blocked the CA of the server certificate. When the iPad wanted to check if the server certificate is valid it tried to get the root certificate. But the proxy blocked that request. Strange that apple does not give any hint on that in device logs or anywhere else.
So the "proxy authorization required" by the server had nothing to do with the real problem.
The answer to the actual question is: It is possible to use itms-services to install apps OTA with proxy authentication. (We used basic auth in this case?
All websites mention that Passbook passes can be sent by e-mail. But when the pass (generated by our server) is attached to an e-mail, the iOS e-mail client won't open it and write "(null)" instead. The same pass works fine on Android and also has no problems communicating with our web service. Any ideas? Google searches didn't offer any solutions.
Screenshot:
Solved: There were multiple problems:
The authentication token has to be at least 16 characters long
I used the "Apple Inc. Root Certificate" (wrong one) instead of the "AppleWWDRCA" (correct one)
For production the web service needs to use https
You get that when the pass in invalid, most likely due to it being incorrectly signed and/or the pass certificate has expired.
Drag your pass into iPhone Simulator and check the Console app to look for error in the logs.
I have a question about one of new features in iOS 7 - Single Sign On.
Are there any detailed info about it? Has somebody already tried it for implementation? I searched a lot of articles and docs - but did not find any useful. I also did not find any detailed info on Apple and Developers Apple resources. There are no visual setting for SSO in iOS 7 GM version (I am not sure if it should be there).
So my question is - have somebody already investigated it and may be somebody can share some links and useful info? Are there any technical descriptions of this feature and is it existed some how in iOS 7 GM?
Thanks in advance.
I would recommend watching WWDC 2013 Session 301 "Extending Your Apps for Enterprise and Education Use"
Also, for an overview of an implementation of this functionality this site helps.
Lastly, here is Apple's documentation (available to developers). Look for the heading: Single Sign-On Account Payload.
Configuring SSO on a device will require Apple Configurator to install the profile or an MDM solution for OTA delivery of the SSO profile.
To make SSO (Kerberos) working on iOS7 you need 3 things:
On the server side: Kerberos environment + HTTP SPNego/Kerberos authentication configured. SSO in iOS works only for HTTP(S).
Configuration profile containing:
[Obligatory] Your Kerberos realm.
[Obligatory] Your Kerberos principal (usually username), this can be left empty - in that case user will be asked to specify it during the profile installation.
[Obligatory] List of URL prefixes of the pages allowed to use SSO. Wildcards cannot be used here, if the prefix doesn't end with slash character, it will be automatically appended to it.
[Optional] List of bundle IDs allowed to use SSO, if empty all applications are allowed. Wildcards in bundle IDs can be used.
Application that supports it, Safari and WebKit (UIWebView class) do. As described in WWDC 2013 Session Videos number 301, you have to use either NSURLConnection or NSURLSession class. This is a simplified example of the HTTP traffic when authenticating using the SPNego scheme:
Client: GET https://login.example.com/adfs/ls/auth/integrated/?data1=aa&data2=...
Server: 401 Unathorized
+header WWW-Authentificate: Negotiate
Client: GET https://login.example.com/adfs/ls/auth/integrated/?data1=aa&data2=...
+header Authorization: Negotiate [SPNegotInitToken]
Server: 200 OK
+header Authorization: Negotiate [SpnegoTargToken]
+header set-cookie [SESSIONID]
The dialog with prompt for the Kerberos password (if the Kerberos ticket has not yet been granted/expired) will appear after receiving "WWW-Authentificate". Obj-C classes will handle automatically all the redirects and authentication process, so the only thing you need is to make a request to the login URL and allow this URL in the profile.
Enterprise Single Sign On lets user sign in once on their device and let all apps on device use it fo authentication.In case of twitter, links below will be useful for you,
https://dev.twitter.com/discussions/8231.
http://eflorenzano.com/blog/2012/04/18/using-twitter-ios5-integration-single-sign-on/