I am making an iPhone app with the aim of connecting to a wifi hotspot.
The connection to the hotspot is made with a https web page.
In order to identify if the web page is a real hotspot, not a fake hotspot to steal logins, I want to check the https certificate of the web page. The web page is loaded in a UIWebview.
Questions : How I can retreive informations about the https certificate ?
EDIT : I think that should be possible with the NSURLConnection but with a UIWebView, I haven't the NSURLConnection object.
Thanks for your answers !
You can't do this with a UIWebView, but you can using the canAuthenticateAgainstProtectionSpace: delegate method for NSURLConnection. You can use this delegate method to create an NSData copy of the certificate you want to verify, and then compare it against a locally stored copy.
That said, as indicated above it doesn't really add much security, and there are better ways of achieving what you want to achieve.
Related
Recently I am doing a research on the request/response model of the facebook mobile app. I am using the fiddler 4 to capture all the http/https conversation from the facebook app on my iphone 4s. What I did was setting my desktop as a proxy and redirecting all the iphone network traffic through it. By the way, I have configured the fiddler so that all the https conversations are also transparent.
One interesting thing I find is that, although I am able to capture all the requests and responses for the graphics and jsons. I never found any request regarding the Comments or Likes, nor can I find any information of the new feed that's in plain text.
My question is, did I miss something or such "plain text" conversations are happening on a different transport layer or with some different protocol?
How am I able to get these conversations in my fiddler?
Thanks
All communication with the server API should be running over HTTPS. It means it's SSL encrypted and you are unable to see the plain text communication on your proxy. That behaviour is on purpose to protect the users data. You surely wouldn't be happy if anybody on a way of packets from your iPhone to the Facebook API's could read your messages for example :-)
You are saying you made "https transparent". I don't know what exactly you mean, but unless you make classical man-in-the-middle attack by faking certificates, you have no chance to see the open text communication of HTTPS. And I think FB has it covered and will detect change of certificates.
Edit: I just have checked it out using Charles proxy and yes, all the communication to the Facebook API is (of course as expected) HTTPS, so you will never see any open text communication.
As you know, you can easily configure Fiddler to decrypt HTTPS traffic.
My first guess is that the "Like" and "Comment" data are transferred over a HTML5 WebSocket. Do you see any WebSockets in the traffic from the application?
I'm trying to hook UIWebView so that when a user enters a url, they are re-directed through our proxy and prompted for authentication.
I'm essentially needing to take the request and add proxy information to the request and pass it over to a UIWebView.
The proxy has to be controlled by the iOS application and not by safari or read from system wide credentials.
I've tried using ASIHTTPRequest to create a request to route through a known proxy with NTLM authentication, that works fine however doesn't bring back css, javascript, images etc.
I then read about and used ASIWebPageRequest however that is currently a bit unstable, doesn't stream and waits for the whole HTML site to download before rendering it to the user.
Can anyone point me in the right direction?
Are you allowed to change the content of the pages so that they point directly to your proxy? That might work.
Personally I'm very curious if there is any other way to do this without rewriting URLs (basically w/ only client side changes). If you found a solution please let me know1
I'm working on a web view that needs to work with only servers I trust (Based on the SSL handshake), and not all of those that Apple approve.
Is there a way to intercept the UIWebView connection so I could control on the request authentication?
When I use the UIWebView method loadRequest: there's no way of getting the SSL challenge (since it's not part of the UIWebViewDelegate protocol).
An alternative is to get the request that the UIWebView is about to send (using the delegate callback webView:shouldStartLoadWithRequest:navigationType:), telling the UIWebView not to load it, and sending the request using NSURLConnection (using its delegation methods for the SSL handshake logic). and when the connection finishes, loading the data it receives into the UIWebView (using the loading method loadData:MIMEType:textEncodingName:baseURL:). This workaround is working for simple sites, but complicated sites (JS, CSS...) might not work.
Thanks!
I had a similar problem of trying to display a web page for which the certificate has expired. I found this post, which showed me how to use a protocol on NSURLRequest, to override the method allowsAnyHTTPSCertificateForHost.
He stresses that this might or might not be accepted by Apple - however for my development this saves me some time.
You may be able to use this technique for your solution.
i am making an app in which there is a need of money transaction...
for this i have to send SOAP xml to server but in secure way....
i have been told that i have to create SSL connection first and then send that soap message.....
I know about SOAP very well but no idea about SSL connection...
please provide some help...
Check out NSURLConnection docs on the apple site: NSURLConnection
EDIT: added more info.
You need to set up authentication. A quick search of SO produced these results:
NSURLConnection SSL HTTP Basic Auth and
HTTPS with NSURLConnection - NSURLErrorServerCertificateUntrusted
You need to set up your server to handle authentication, then issue a challenge to the device. As you can see in the above posts, there is a function: didReceiveAuthenticationChallenge:
You need to use this to handle authentication challenges. You can get a good idea of how to go about it using the above posts.
Your server needs to be set up to handle authentication, as well. I don't know what language you use with your server, but as I use PHP, here is the PHP manual link on authentication:
PHP authentication
It is a tricky thing to do at first, but once you get into it isn't bad (and creating more https connections comes easily). However, writing out everything you would need to do here is a bit much. If you scope out those posts, you can get a general idea about how to go about it. It'll take some working to get it done.
Most often this simply means that you have to send data to an HTTPS endpoint. What this also means is that there is a secure connection (done for you automatically) between the client and the server so that the payload (body) of the message is encrypted rather than transmitted in clear text (which is the case with HTTP).
Basically, most times, it is enough just to make sure you're using HTTPS :)
Have a look at http://en.wikipedia.org/wiki/Secure_Sockets_Layer
I have a query regarding sending secure data over the network in iPhone.
What should be used to secure credit-card, bank acct# etc. information which is sent over wireless network.
Is there any difference in methods if we use a native-app or a web-app?
Are there any direct APIs available for this?
Any tutorial will be really helpful.
Thanks in advance.
EDIT :
So where exactly the certificate/encryption is needed?
Is following procedure correct?
1]Make connection to “https:” web-service using NSURLConnection
2]The server should implement SSL/TLS Server will respond with a digital certificate (*.p12 file)
3]Client side authorization will be done. (Whether the obtained certificate is trusted or
not is checked. If trusted,then we can continue. Otherwise exit gracefully)
4]Now Secure Channel is established. Send the data (Credit card info. etc) to server. Encryption can be done using public/private key pair
I am able to connect to a "http://" SOAP webservice. procedure:
1) Create a SOAP Envelope (With required i/p parameters)
2) Make NSURL Object with required web service addr
3) Initialize 'NSMutableURLRequest' with above url
4) Set parameters for NSMutableURLRequest
5) Initiate 'NSURLConnection' with above request.
After this automatically NSURLConnection methods are called.
Now I want to connect to 'Https://' web-service and send sensitive info to it.
So,what extra needs to be done? Do I need to add extra methods or above approach works? (I send parameters as plain text from in http)
Make sure the receiving server-side code implements SSL/TLS, the iphone's NSURLConnection and the alternative open-source ASIHTTPRequest both support secure connections to https websites by default.