0

I am new to web development and currently I am developing an Rest API which is to be consumed by an IOS app. So I developed the API and also implemented jwt token with oauth2 security in it.Now I want to provide the API to be consumed by the mobile app.So my backend server has SSL certificate. So the consumed Rest API will be something like

https://server:port/dataapiurl

So far I have read about SSL and JWT and i already they are for different reasons where SSL is used for encrypted channel between client server communication and JWT is used for Authorization.

So there will be no point if even I implement JWT and the communication is not in SSL.So to make sure the communication is done between client and server what have to be done on the client (mobile app) side?

1.Does the mobile app need to install a new certificate Or the SSL certificate of our backend server?

2.If it is our backend server's SSL certificate then how to install it in the mobile app ?

Any Help is appreciated.

1 Answers1

0

You you can but haven't to set your ssl cert on the client. You can just conform to the NSURLSessionDelegate protocol and implement this :

- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler{
if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]){
    NSArray* netTrusts = @["your hostname here"];
    if(netTrusts != nil && [netTrusts containsObject:challenge.protectionSpace.host]){
        NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
        completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
    }
}

}

Jérémy Voisin
  • 34
  • 4
  • Could you please explain a bit further.Actually I did not get the point how to set ssl cert on the client side.Since I am the back end developer and my backend server has the SSL key certificate,Should I give the cert to the mobile app?Could you please advise on this more –  Apr 19 '17 at 09:13
  • If you implement a delegate for your NSURLSession, you can request your server with or without setting your certificate on your device. The main problem with setting your certificate on your device, is that you have to renew your apps certificate each time your certificate is revoked and renewed on your server. With the code that I wrote here, your delegate listens for a ssl challenge and, if your host is trusted, the delegate allows the request to end without having the certificate on the device. – Jérémy Voisin Apr 19 '17 at 09:19
  • If you really want to set your certificate on your device, there is a way called certificate pinning that you can find on the OWASP website https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#iOS – Jérémy Voisin Apr 19 '17 at 09:28
  • Then I am the backend developer and my question is what has to be done from my side?Because the NSURLSession should be implemented in the mobile app (front end ) side.Correct me if I am wrong –  Apr 19 '17 at 10:32
  • Ok, so, backend side, there is nothing more to do. It's mobile app's work to do the trick – Jérémy Voisin Apr 19 '17 at 10:34
  • Thank you for your explanation.I hope then no work to do on my side –  Apr 19 '17 at 10:44
  • 1
    When your back supports ssl, the client should adapt its requests to also support it :) – Jérémy Voisin Apr 19 '17 at 10:47