I want to encapsulate UIWebView which can handle both http and https request on ios platform, especially for https, it should handle both trust and unverified (developer defined) certificates. Any open source available to take reference?
Thanks in advance.
Graham Lee discusses some of the things you can do at On SSL Pinning for Cocoa [Touch]. Its about as close as you are going to get to open source - its sample code that shows you how to do it with NSURLConnection and NSURLConnectionDelegate.
Lee's article discusses how to pin a public key, which improves security on the channel. Public Key Pinning is equivalent to StrictHostKeyChecking in SSH. In addition, I believe you can use NSURLConnection and NSURLConnectionDelegate to trust your [otherwise] untrusted certificates (I don't observe the practice, so I'm not sure of the details).
Be careful of lessening (ruining?) the security built into the channel. A survey and analysis of dumb developer decisions was recently published at Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. Its not limited to Android.
Create network connection to handle SSH challenge, untrusted certification.
This bit of code may be of help https://github.com/dirkx/Security-Pinning-by-CA - it does exactly that.
Related
After testing and research it seems the NotificationURL parameter requires a fully valid SSL certificate or the subscribe call fails.
I am wondering if there is a way I have not found or a clever workaround to use the Office 365 Notifications with a self-signed SSL certificate installed on the NotificationURL during development?
Thanks!
Steve
I won't mark this as answered yet in case there is a better way, but here is my work around for the issue.
I created a small webapi project that takes a base64 encoded url as a parameter, ie: https://site.azurewebsites.com/Notify/aHR0cDovL3NvbWVob3N0OjEyMzQ1L05vdGlmeQ==
It proxies the request to that encoded URL and plays back the response.
I hosted this "proxy" as a free azure website making use of the SSL provided and can now subscribe to notifications via my proxy.
It works well enough and means I can work from anywhere.
I'll see if better ideas come along, but if not will accept this as the answer as it seems to work for my development purposes.
Steve
I've used Ngrok. The free version is sufficient to debug WebHooks
I have set up an API endpoint on my Digital Ocean VPS to receive incoming SMS to my Twilio number. It was working.
Then I started using CloudFlare. I believe that it stopped working after that, but since I receive SMS so infrequently, I am not absolutely sure. Although Twilio's website indicates that they sent an HTTP request and received a 502 Bad Gateway error, my server logs never registered any incoming requests from Twilio. I know that my API endpoint works because when I manually enter the API endpoint in my Chrome browser, my server receives it and logs the GET request as expected.
I tried asking Twilio's support for the full details of the supposedly failed request, but they refuse to give it to me.
Does anyone know which setting in CloudFlare to adjust that may fix this? I've tried turning off and reducing all the security settings as I thought it may be a firewall issue. How else can I go about debugging this problem without turning off CloudFlare completely (I need it on for other purposes)? I will accept the first answer or advice that leads to the solution. Thanks!
EDIT: this is the response from CloudFlare
One thing to ask them, is whether they support the SSL configuration
of Universal SSL - which uses SNI and ECDSA. We have seen instances of
3rd party services not supporting one or both of these, and therefore
failing to make calls via HTTPS.
Universal SSL support is defined by the client machine's support for
two newer features:
Server Name Indication (SNI) Elliptic Curve certificates (ECDSA) What
browsers work with Universal SSL?
If you need broader browser compatibility for older browsers/operating
systems, our Pro plan plan provides this.
Also, if you want to get full information about what your browser
supports, this site will run a check on your browser and tell you the
support your browser has for protocols, ciphers and SNI:
https://cc.dcsec.uni-hannover.de/
Twilio developer evangelist here.
Good news, Twilio now supports SNI! So, this should no longer be a problem.
You might want to check Server Name Indication (SNI) Twilio does not support this, so as a result you get 502 Bad Gateway. Same thing was happening to me. I was able to fix this using Cloud flare Pro see this post
Twilio - TwiML with SNI Support
Is there a best way to do certificate pinning in iOS to avoid Man in middle attack. Or is there any substitute approach that apple provides to make a secure connection?
Currently I'm using A certificate pining approach where either I've to store the .der file in my app to compare with Server Certificate or as option2 to do SHA1 or MD5 validation. But in this case app need regular updates with change in those certificates.
Is there any other concrete approach that apple provides for SSL /TLS validation.
Any demo code sample will be helpful
Thanks in advance
OWASP provides good information about this topic, including sample code for various OS, including iOS.
AFNetworking provides AFSecurityPolicy class to deal with certificate and public key pinning.
I want to record web requests using fiddler of an iOS7 native app which using https protocol (with trusted certificates) to communicate with server. I could able to record the requests and after Https decryption option disabled and its worked fine. When Https decryption option enabled app shows invalid/untrusted certifificate alert and cannot proceed even after installing fiddler certificate in iOS.
Question is,
Is there any way to record Https request/response of iOS7 app using fiddler by imitating any other certificate as trusted certificate or anyother way to do that? any suggestions? any other tools? I got another solution from here but it was not worked.
Thanks in advance
You need to use the Fiddler Certificate Maker add-on to generate certificates that iOS is willing to trust.
See http://blogs.telerik.com/fiddler/posts/12-12-21/using-fiddler-with-apple-ios-devices for more information.
Also keep in mind that some iOS applications (like the AppStore) use a technique called "Certificate Pinning" which means that you cannot decrypt their traffic seamlessly unless you jailbreak the device.
NOTE: This question is NOT related to the keys and certificates used for iOS development/provisioning.
I would like to use TLS client certificates for authentication of iOS devices running my app. In order to achieve this securely, it would be ideal if the device generated its private key itself and requested a certificate from our in-house CA.
I can't find an API in the docs for doing this, but I can see that iOS supports TLS client certificate authentication, so it seems logical that it would be possible. Can anyone point me in the right direction?
Actually there is objective-c wrapper of Open SSL available. Which can be some help to you. https://github.com/aidansteele/SSCrypto.
You can also use mycrypto( https://bitbucket.org/snej/mycrypto/wiki/Home ) a high level objective-c wrapper for many cryptographic tasks.