I'm working on a web view that needs to work with only servers I trust (Based on the SSL handshake), and not all of those that Apple approve.
Is there a way to intercept the UIWebView connection so I could control on the request authentication?
When I use the UIWebView method loadRequest: there's no way of getting the SSL challenge (since it's not part of the UIWebViewDelegate protocol).
An alternative is to get the request that the UIWebView is about to send (using the delegate callback webView:shouldStartLoadWithRequest:navigationType:), telling the UIWebView not to load it, and sending the request using NSURLConnection (using its delegation methods for the SSL handshake logic). and when the connection finishes, loading the data it receives into the UIWebView (using the loading method loadData:MIMEType:textEncodingName:baseURL:). This workaround is working for simple sites, but complicated sites (JS, CSS...) might not work.
Thanks!
I had a similar problem of trying to display a web page for which the certificate has expired. I found this post, which showed me how to use a protocol on NSURLRequest, to override the method allowsAnyHTTPSCertificateForHost.
He stresses that this might or might not be accepted by Apple - however for my development this saves me some time.
You may be able to use this technique for your solution.
Related
I have a web based application that uses Cocoa/CocoaTouch's UIWebView. I want (need?) to force all HTTP connections to HTTPS. Note that I am interested in forcing the initial, landing URL to HTTPS and all the intermediate fetches to HTTPS also. Motivation: New Tricks for Defeating SSL in Practice and sslstrip.
Is it possible to configure WebView to only use HTTPS? The UIWebView documentation does not even mention HTTPS. Considering Apple does not allow me to disable JavaScript in a UIWebView, I doubt I can make the configuration change on the view.
Or does the answer lie somewhere in NSURLRequest, NSURLConnection, and possibly delegate methods? I read URL Loading System Overview, and I don't see where I am able to change requests.
If you want to change the request you can proxy UIWebView so all requests are intercepted and then replace http with https, and make the request from the proxy. One way of doing this would be to subclass NSURLCache and override the method cachedResponseForRequest.
I am making an iPhone app with the aim of connecting to a wifi hotspot.
The connection to the hotspot is made with a https web page.
In order to identify if the web page is a real hotspot, not a fake hotspot to steal logins, I want to check the https certificate of the web page. The web page is loaded in a UIWebview.
Questions : How I can retreive informations about the https certificate ?
EDIT : I think that should be possible with the NSURLConnection but with a UIWebView, I haven't the NSURLConnection object.
Thanks for your answers !
You can't do this with a UIWebView, but you can using the canAuthenticateAgainstProtectionSpace: delegate method for NSURLConnection. You can use this delegate method to create an NSData copy of the certificate you want to verify, and then compare it against a locally stored copy.
That said, as indicated above it doesn't really add much security, and there are better ways of achieving what you want to achieve.
I'm trying to hook UIWebView so that when a user enters a url, they are re-directed through our proxy and prompted for authentication.
I'm essentially needing to take the request and add proxy information to the request and pass it over to a UIWebView.
The proxy has to be controlled by the iOS application and not by safari or read from system wide credentials.
I've tried using ASIHTTPRequest to create a request to route through a known proxy with NTLM authentication, that works fine however doesn't bring back css, javascript, images etc.
I then read about and used ASIWebPageRequest however that is currently a bit unstable, doesn't stream and waits for the whole HTML site to download before rendering it to the user.
Can anyone point me in the right direction?
Are you allowed to change the content of the pages so that they point directly to your proxy? That might work.
Personally I'm very curious if there is any other way to do this without rewriting URLs (basically w/ only client side changes). If you found a solution please let me know1
i am making an app in which there is a need of money transaction...
for this i have to send SOAP xml to server but in secure way....
i have been told that i have to create SSL connection first and then send that soap message.....
I know about SOAP very well but no idea about SSL connection...
please provide some help...
Check out NSURLConnection docs on the apple site: NSURLConnection
EDIT: added more info.
You need to set up authentication. A quick search of SO produced these results:
NSURLConnection SSL HTTP Basic Auth and
HTTPS with NSURLConnection - NSURLErrorServerCertificateUntrusted
You need to set up your server to handle authentication, then issue a challenge to the device. As you can see in the above posts, there is a function: didReceiveAuthenticationChallenge:
You need to use this to handle authentication challenges. You can get a good idea of how to go about it using the above posts.
Your server needs to be set up to handle authentication, as well. I don't know what language you use with your server, but as I use PHP, here is the PHP manual link on authentication:
PHP authentication
It is a tricky thing to do at first, but once you get into it isn't bad (and creating more https connections comes easily). However, writing out everything you would need to do here is a bit much. If you scope out those posts, you can get a general idea about how to go about it. It'll take some working to get it done.
Most often this simply means that you have to send data to an HTTPS endpoint. What this also means is that there is a secure connection (done for you automatically) between the client and the server so that the payload (body) of the message is encrypted rather than transmitted in clear text (which is the case with HTTP).
Basically, most times, it is enough just to make sure you're using HTTPS :)
Have a look at http://en.wikipedia.org/wiki/Secure_Sockets_Layer
Had a question related to best practices in iPhone login authentication using asynchronous NSURLConnection.
Since the same delegate is used for logging into a server, how do folks differentiate notifications coming back for an authentication request, versus when you recieve data for subsequent data requests?
Thanks,
Sj
If by authentication, you mean HTTP authentication, then that is not handed back to you as data. It comes back in -connection:didReceiveAuthenticationChallenge:. If you're talking about a higher-level protocol that manages authentication above the HTTP layer, then it's your job to keep track of the current state of your connection.
See Using NSURLConnection for full details on HTTP Auth.
The common pattern to use would be to create a different class for each type of request you have and make it manage the lifetime its own NSURLConnection. It can then send events back to its delegate.
The other method would be to remember all the NSURLConnections you've created and compare them against the first parameter of the delegate callbacks.