Self-signed certificates on iOS

Question

https://cordova.apache.org/docs/en/8.x/guide/appdev/security/index.html mentions that

The reason is that accepting self-signed certificates bypasses the certificate chain validation, which allows any server certificate to be considered valid by the device.

• Does this mean that as soon as an iOS device trusts any self-signed certificate any SSL traffic (from any app) is insecure?
• If yes, what’s the recommended way by Apple how to handle this (I believe I can’t prevent a user from trusting a self-signed certificate for any reason). Can I somehow check if any such certificate is trusted (in this example I use Cordova).
• Or does this mean only for a connection where a self-singed certificate is applied no SSL validation is executed?

Answer 1

When using Cordova on iOS, if you want to use self signed certificates you have to add this code to your app.

@implementation NSURLRequest(DataController) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host { return YES; } @end

So that's probably what this means

The reason is that accepting self-signed certificates bypasses the certificate chain validation, which allows any server certificate to be considered valid by the device.

Unlike Android, this is an all or nothing, once you add that all the validations are skipped.

Adding that only affects your app, not other apps, but it affects all the connections your WebView does. So it makes your app highly insecure as people could easily do man in the middle attacks.

Answer 2

SSL is installed on the server. So this is about an SSL certificate that is not issued by some CA(Certification Authority). A proper certificate is the one that is issued from some authentic CA like Verisign so that it can be validated by the Android or iOS device by verifying the chain of trust.

This doesn't involve any certificate installed on the mobile device itself, either iOS or Android.

For further clarification between self-signed certificate and a ca certificate check this SO answer.