IOS, UIWebView, HTTPS, and Trusting Arbitrary Certificate (Open Source Reference?)

Question

I want to encapsulate UIWebView which can handle both http and https request on ios platform, especially for https, it should handle both trust and unverified (developer defined) certificates. Any open source available to take reference?

Thanks in advance.

Answer 1

This bit of code may be of help https://github.com/dirkx/Security-Pinning-by-CA - it does exactly that.

Answer 2

Graham Lee discusses some of the things you can do at On SSL Pinning for Cocoa [Touch]. Its about as close as you are going to get to open source - its sample code that shows you how to do it with NSURLConnection and NSURLConnectionDelegate.

Lee's article discusses how to pin a public key, which improves security on the channel. Public Key Pinning is equivalent to StrictHostKeyChecking in SSH. In addition, I believe you can use NSURLConnection and NSURLConnectionDelegate to trust your [otherwise] untrusted certificates (I don't observe the practice, so I'm not sure of the details).

Be careful of lessening (ruining?) the security built into the channel. A survey and analysis of dumb developer decisions was recently published at Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. Its not limited to Android.

Answer 3

Create network connection to handle SSH challenge, untrusted certification.