Logging into a corporate captive portal with a native iPhone app
https://stackoverflow.com/questions/959266
-
12-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am working on a native iPhone app that needs to be able to automatically (in the background) sign into a captive portal on a company's large WiFi network before accessing the net. The captive portal is a simple HTTPS page with username and passsword form that authenticates then allows access to the Internet.
The hope is that the user will enter their password and username into the App once and then the credentials will be reused whenever the App is started next time.
How can I verify that the captive portal being presented by the WiFi connection is actually the company's portal and not a rogue base station? I am worried that an unscrupulous person would be able to masquerade as the portal and steal login credentials.
I thought I might be able to allow the user to confirm and save the certificate for the portal the first time they use the app and check the certificate against the domain name of the portal, will that be enough?
I haven't been able to find any about web authorisation beyond the 401/407 HTTP responses handled by CFHTTPAuthentication, and the portal doesn't send those.
Thanks!
Solution
If you know the domain name of the captive portal, it's enough to compare the domain which you get from the redirect against the one you know (and which might be hardcoded into you app).
You can absolutely rely on https about the identity of the server, if the domain name is right.
