Is NSURLConnection willSendRequestForAuthenticationChallenge secure

StackOverflow https://stackoverflow.com/questions/19304703

Question

I am connecting to an internal company REST service using HTTPS POST in my iOS App. This service requires basic HTTP Authentication.

When I tried to pass the authentication parameters in the HTTPHeader, the server responded back with an error saying "Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oiam.XXXX.com” which could put your confidential information at risk." UserInfo=0x8d1de60 {NSErrorFailingURLStringKey=https://oiam.xxxx.com/NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, "

I read some questions and looks like I needed to install the certificate. Since I am on an iOS simulator I was not able to install cert.

I tried to use NSURLConnectionDelegate protocol and the connection worked.

Only issue I have is this method where I pass the username password. Is it secure? Why do I not require to encode the values? I was encoding for passing the value while doing the HTTPS Basic authentication in Header.

-(void)connection:(NSURLConnection *)connection       willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge previousFailureCount]) {
   [[challenge sender] cancelAuthenticationChallenge:challenge];
} else {
    NSURLCredential *credential = [NSURLCredential credentialWithUser:@"username1"
                                   password:@"password1"                                                     
                                   persistence:NSURLCredentialPersistenceForSession];
    [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
}
}
Was it helpful?

Solution

For internal use and testing, you can override a private API in NSURLRequest using a class extension so that the invalid certificate is accepted:

#if DEBUG

@interface NSURLRequest (IgnoreSSL)

+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host;

@end

@implementation NSURLRequest (IgnoreSSL)

+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    // ignore certificate errors only for this domain
    if ([host hasSuffix:@"oiam.XXXX.com"]) {
        return YES;
    }
    else {
        return NO;
    }
}

@end

#endif

As for the question about the security of the credentials, they will be encoded as necessary before being transmitted over the wire.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top