Alternative method for NSURLRequest's private "setAllowsAnyHTTPSCertificate:forHost:"?

Question

My iPhone application was rejected solely for using the (very safe, it seems) private method +setAllowsAnyHTTPSCertificate:forHost: for NSURLRequest. Is there a non-private API to emulate this functionality?

Answer 1

Not a solution, but a suggestion. Have you thought about using ASIHttpRequest Framework for this? This framework is complete in all aspects. Check the documentation, maybe it can help you too.

Answer 2

Actually, I'm testing with 10.6.8 and this code still works -- it's using the private API but checking that the selector exists (myurl is the NSURL I'm trying to load into a WebView or an NSURLConnection):

SEL selx = NSSelectorFromString(@"setAllowsAnyHTTPSCertificate:forHost:");
if ( [NSURLRequest respondsToSelector: selx] )
{
    IMP fp;

    fp = [NSURLRequest methodForSelector:selx];

    (fp)([NSURLRequest class], selx, YES, [myurl host]);
}

Note that "@selector" wasn't used so that absolutely all the work would be done at runtime. That makes it about as safe and as hidden from Apple's checks as can be, especially if you obscure the string.

Answer 3

setAllowsAnyHTTPSCertificate seems to now be unsupported in OS X 10.6.6 altogether.

Did I say 10.6.6? Perhaps I should have said "Snow Vista".

Answer 4

There seems to be a public API for that ;) How to use NSURLConnection to connect with SSL for an untrusted cert?

Answer 5

One really stupid workaround is to make your own category method:

@implementation NSURLRequest (IgnoreSSL)

+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}

@end

This should get by Apple's private API checks, but it's still the same thing (using a private, undocumented API[1] that is liable to break at any time). Actually, it's worse since it allows everything, not just that host.

[1]: An private API that should be made public, but a private API nevertheless.