0

We have developed an iOS framework to be distributed to other developers to use in their apps and make use of some services we would provide. It works great (in vitro). But, because of the way URL Loading System works in iOS, with a few line of codes all our URLs will be visible to the naked eyes of every developer, including all our HTTPS urls which we hold dear.

I know security by obscurity is never a good idea (shadowed by the common misbelief of HTTPS are always transparent outside clients) but I still have this requirement to somehow make our URLs invisible from implementing developers.

So far I have considered implementing a simple NSURLConnection alternative for our framework but it seems like a daunting task considering HTTPS requirement and all.

Is there anyway we could prevent NSURLProtocol from registering more classes or any other options?

Here are some sample codes on how NSURLProtocol would mess up your security:

 class NetSniffer : NSURLProtocol {

  override class func canInitWithRequest(request: NSURLRequest) -> Bool {
    print("\(request.URL?.absoluteURL)")
    return false
  }


}

and in your application(_, didFinishLaunchingWithOptions:)-> Bool :

NSURLProtocol.registerClass(NetSniffer)

P.S.: I can vividly remember a time I tried to change the result of some url connections related to AVPlayer to create a custom DRM and encountered some unusual facts that none of the data connections were triggered by NSURLProtocols! could it be a clue?!

M. Porooshani
  • 1,797
  • 5
  • 34
  • 42

2 Answers2

1

If you block NSURLProtocol.registerClass, you will break a lot of useful code.

It's an exercise in futility to try and hide your URLs. If someone wants to reverse engineer your API, they will do.

chedabob
  • 5,835
  • 2
  • 24
  • 44
  • You're absolutely right, but I'm not in a position to enforce or consult other security measures on the project and I just didn't want to be the culprit in case something might go wrong. please see my answer anyway. – M. Porooshani Jan 13 '16 at 04:40
0

Well, once again I have the answer to my own question. The solution was actually very simple. Luckily NSURLSession offers more than I thought. Every class you register as NSURLProtocol only affects the defaultSession and if you are o create a new session based on a configuration other than default (and not exposing i to other developers) would be safe. but, in any case what I have done was this:

  • Get an instance of NSURLSessionConfiguration using static members of class like defaultConfiguration
  • Iterated over its registered protocols (registeredProtocols) and unregister them one by one.
  • Instantiate a new NSURLSession based on this configuration.
  • start a new data task on the newly created session
  • dispose of the session after finish.

so far I haven't been able to find a way to go past this and extract the URLs from outside my module.

Let me know if it needs any improvements.

M. Porooshani
  • 1,797
  • 5
  • 34
  • 42