iPhone and UIWebView: Force HTTPS (rewrite URLs on the fly) - iphone

I have a web based application that uses Cocoa/CocoaTouch's UIWebView. I want (need?) to force all HTTP connections to HTTPS. Note that I am interested in forcing the initial, landing URL to HTTPS and all the intermediate fetches to HTTPS also. Motivation: New Tricks for Defeating SSL in Practice and sslstrip.
Is it possible to configure WebView to only use HTTPS? The UIWebView documentation does not even mention HTTPS. Considering Apple does not allow me to disable JavaScript in a UIWebView, I doubt I can make the configuration change on the view.
Or does the answer lie somewhere in NSURLRequest, NSURLConnection, and possibly delegate methods? I read URL Loading System Overview, and I don't see where I am able to change requests.

If you want to change the request you can proxy UIWebView so all requests are intercepted and then replace http with https, and make the request from the proxy. One way of doing this would be to subclass NSURLCache and override the method cachedResponseForRequest.

Related

ATS policy issue when using a redirect url in Swift

I am using this link for example to load the link. Although the link is a http link it will be redirected to a https link. It works in the browser.
However, as soon as I let my iOS Application load the resource it will say "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.".
I am using this library to load the picture. Is it not supported that Swift loads the https resource? I could think of that ATS blocks the connection to the server so the redirect can't even be received.
I would be very thankful for any thoughts on this.
Christian
While you certainly can disable the entirety of ATS using the solutions provided by Kishan and Johnson, if you know the domain of the http resource you are trying to load, you have better options. For details of why the disabling of ATS entirely is not the best idea, see this post.
Better options are:
If you know the http resource is always going to give you a redirect to the same https:// url, why not simply use the https:// url in your code. This won't work if the redirect is dynamic, but if your code is trying to load http://www.example.com/resource and that always redirects to https://www.example.com/resource, why not just change your code to go to the https version.
Only disable ATS for the domain in where you need to allow non https connections. This allows you to only allow http connections for domains you know don't support https, better protecting your application users.
Your ATS settings in your info.plist wqould look something like this:
If and only if your urls are driven by data that you don't control (i.e. the domains in those urls could be anything), you will need to disable all of ATS, and Apple may eventually want you to provide justification for disabling it. Originally they were going to have all ATS disabled apps go through an additional justification request processs, but they haven't mentioned that recently. This should be a last resort.
Honestly, looking at your example UR
Go to info.plist add a term called App Transport Security Settings.
And under that add Allow Arbitrary Loads

How to check ssl certificate of https request on iPhone

I am making an iPhone app with the aim of connecting to a wifi hotspot.
The connection to the hotspot is made with a https web page.
In order to identify if the web page is a real hotspot, not a fake hotspot to steal logins, I want to check the https certificate of the web page. The web page is loaded in a UIWebview.
Questions : How I can retreive informations about the https certificate ?
EDIT : I think that should be possible with the NSURLConnection but with a UIWebView, I haven't the NSURLConnection object.
Thanks for your answers !
You can't do this with a UIWebView, but you can using the canAuthenticateAgainstProtectionSpace: delegate method for NSURLConnection. You can use this delegate method to create an NSData copy of the certificate you want to verify, and then compare it against a locally stored copy.
That said, as indicated above it doesn't really add much security, and there are better ways of achieving what you want to achieve.

iPhone UIWebView intercept HTTP calls to redirect through proxy

I'm trying to hook UIWebView so that when a user enters a url, they are re-directed through our proxy and prompted for authentication.
I'm essentially needing to take the request and add proxy information to the request and pass it over to a UIWebView.
The proxy has to be controlled by the iOS application and not by safari or read from system wide credentials.
I've tried using ASIHTTPRequest to create a request to route through a known proxy with NTLM authentication, that works fine however doesn't bring back css, javascript, images etc.
I then read about and used ASIWebPageRequest however that is currently a bit unstable, doesn't stream and waits for the whole HTML site to download before rendering it to the user.
Can anyone point me in the right direction?
Are you allowed to change the content of the pages so that they point directly to your proxy? That might work.
Personally I'm very curious if there is any other way to do this without rewriting URLs (basically w/ only client side changes). If you found a solution please let me know1

UIWebView with server trust authentication challenge

I'm working on a web view that needs to work with only servers I trust (Based on the SSL handshake), and not all of those that Apple approve.
Is there a way to intercept the UIWebView connection so I could control on the request authentication?
When I use the UIWebView method loadRequest: there's no way of getting the SSL challenge (since it's not part of the UIWebViewDelegate protocol).
An alternative is to get the request that the UIWebView is about to send (using the delegate callback webView:shouldStartLoadWithRequest:navigationType:), telling the UIWebView not to load it, and sending the request using NSURLConnection (using its delegation methods for the SSL handshake logic). and when the connection finishes, loading the data it receives into the UIWebView (using the loading method loadData:MIMEType:textEncodingName:baseURL:). This workaround is working for simple sites, but complicated sites (JS, CSS...) might not work.
Thanks!
I had a similar problem of trying to display a web page for which the certificate has expired. I found this post, which showed me how to use a protocol on NSURLRequest, to override the method allowsAnyHTTPSCertificateForHost.
He stresses that this might or might not be accepted by Apple - however for my development this saves me some time.
You may be able to use this technique for your solution.

Request builder call not returning when using ssl(https)

I am using GWT. Currently using gwt-rpc to for login authentication. For only login purpose i want to use ssl(https) and so instead of using gwt-rpc i am trying Request Builder and calling a servlet with https.
When in Servlet URL i use protocol as http the request builder works perfectly and response returns to client side(onResponseReceived ). but when i use https in the servlet url then the servlet is gettting called but the response is not returning to the onResponseReceived method of request builder.
my url with http looks like : http://localhost:8888/myproject/myservlet
and with https it looks like :https://localhost/myproject/myservlet
Please give any suggestion or is there any other way to do it.and also is it possible to use ssl over gwt-rpc.
Browser Same origin policy is blocking your requests.
Your page was requested over http, but you are now making an ajax call over https. This is a violation of same origin policy.
To get around, you should serve your original html/servlet over https. This does have a performance cost, but it is the only way to build a secure website.
I'm not familliar with GWT and Request Builder, but whenever I have had problems with HTTPS connections from my code it has come down to certificates and having the right certificate installed in the client or telling the client code where to find the certificate in order to encode the call.
That would be the first avenue I would want to explore in your situation.