For internal use and testing, you can override a private API in NSURLRequest
using a class extension so that the invalid certificate is accepted:
#if DEBUG
@interface NSURLRequest (IgnoreSSL)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host;
@end
@implementation NSURLRequest (IgnoreSSL)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
// ignore certificate errors only for this domain
if ([host hasSuffix:@"oiam.XXXX.com"]) {
return YES;
}
else {
return NO;
}
}
@end
#endif
As for the question about the security of the credentials, they will be encoded as necessary before being transmitted over the wire.