Is NSURLConnection willSendRequestForAuthenticationChallenge secure

Question

I am connecting to an internal company REST service using HTTPS POST in my iOS App. This service requires basic HTTP Authentication.

When I tried to pass the authentication parameters in the HTTPHeader, the server responded back with an error saying "Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “oiam.XXXX.com” which could put your confidential information at risk." UserInfo=0x8d1de60 {NSErrorFailingURLStringKey=https://oiam.xxxx.com/NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, "

I read some questions and looks like I needed to install the certificate. Since I am on an iOS simulator I was not able to install cert.

I tried to use NSURLConnectionDelegate protocol and the connection worked.

Only issue I have is this method where I pass the username password. Is it secure? Why do I not require to encode the values? I was encoding for passing the value while doing the HTTPS Basic authentication in Header.

-(void)connection:(NSURLConnection *)connection       willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge previousFailureCount]) {
   [[challenge sender] cancelAuthenticationChallenge:challenge];
} else {
    NSURLCredential *credential = [NSURLCredential credentialWithUser:@"username1"
                                   password:@"password1"                                                     
                                   persistence:NSURLCredentialPersistenceForSession];
    [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
}
}

score 3 · Accepted Answer · answered Oct 10 '13 at 20:16

3

For internal use and testing, you can override a private API in NSURLRequest using a class extension so that the invalid certificate is accepted:

#if DEBUG

@interface NSURLRequest (IgnoreSSL)

+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host;

@end

@implementation NSURLRequest (IgnoreSSL)

+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    // ignore certificate errors only for this domain
    if ([host hasSuffix:@"oiam.XXXX.com"]) {
        return YES;
    }
    else {
        return NO;
    }
}

@end

#endif

As for the question about the security of the credentials, they will be encoded as necessary before being transmitted over the wire.

answered Oct 10 '13 at 20:16

neilco

7,964
2
36
41

2

Thanks. I am now using HTTPS Basic Auth (passing credentials in Header) and added this code from Stack Overflow to remove cert error: -(void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodServerTrust) { [[challenge sender] useCredential:[NSURLCredential credentialForTrust:[[challenge protectionSpace] serverTrust]] forAuthenticationChallenge:challenge]; } } Its working. I'm trying to figure out what this does. – Jasmine Oct 10 '13 at 20:41
@Jasmine can you put whole code for used of willSendRequestForAuthenticationChallenge so i have get more idea about it . +1 for you. – Dhaval Bhadania Jan 07 '14 at 06:00
@DhavalBhadania I'm now using neilco's suggestion. It works for development for any self signed certificate. I'm just ignoring the error. In production when the certificate is signed, I get rid of the NSURLRequest (IgnoreSSL) files. – Jasmine Jan 28 '14 at 15:35

Is NSURLConnection willSendRequestForAuthenticationChallenge secure

1 Answers1