Allow unverified ssl certificate in UIWebview

Question

I'm embedding a website in a UIWebView. During development I have it pointed at localhost. The problem is that whenever it hits a "https://" url it doesn't load. When I load the url in mobile safari I get this popup:

Is there a way to override this with the UIWebView to allow the unverified url?

Answer 1

Swift 3/4 version for Nick Lockwood answer.

This is just for testing/development purposes:

extension NSURLRequest {
    #if DEBUG
    static func allowsAnyHTTPSCertificate(forHost host: String) -> Bool {
        return true
    }
    #endif
}

Answer 2

I know its a bit late but it can help others, I found an article to bypass ssl in iOS app, All you need to do is setup your webview and do a post request from application to your server and if you get an ssl error that means you dont have a valid certificate on your server, In order to bypass you have to use webview delegates methonds which are 1.) Can Authenticate Against Protection Space 2.) Should start load with request 3.) Did Receive Authentication Challenge You can copy these function from this URL, For me it works pretty well. Hope it helps

Answer 3

In iOS 9, SSL connections will fail for all invalid or self-signed certificates. This is the default behavior of the new App Transport Security feature in iOS 9.0 or later, and on OS X 10.11 and later.

You can override this behavior in the Info.plist, by setting NSAllowsArbitraryLoads to YES in the NSAppTransportSecurity dictionary. However, I recommend overriding this setting for testing purposes only.

For information see App Transport Technote here.

Answer 4

Using the below two methods we can allow unverified ssl in UIWebview

-(BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace;

-(void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge;

I have answered in detail how to achieve this here

Answer 5

If it's just for testing during development you can create a category on NSURLRequest and override the following private method:

#if DEBUG

@implementation NSURLRequest (NSURLRequestWithIgnoreSSL) 

+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}

@end

#endif

Just put this anywhere in one of your .m files (e.g. app delegate), or put it in it's own .m file. You don't need a matching header file.

The #if DEBUG is a precaution to prevent you from accidentally leaving it enabled when you submit to Apple, but if you need it to work in a release build then remove that (and make sure you remember to restore it or remove this category before you submit to Apple).

Answer 6

Nick's answer will keep your app from being accepted by Apple in the App Store and George's answer will fail to load the remainder of a page that has .css or .js or any other secondary downloads. There is a complete answer here that allows the UIWebView to load pages from a site with an untrusted certificate.

Answer 7

There's a way to do this legally (by App Store laws at least). When you use the NSURLConnection there are 2 methods that can be used to allow self-signed SSL certificates to be used:

How to use NSURLConnection to connect with SSL for an untrusted cert?

If you implement UIWebViewDelegate use the

- (BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType;

Return NO to this so that the WebView doesn't load on its own. Then construct an NSURLConnection (which can be used with unsigned certificates via the above link).

Of course the usual SSL recommendations apply here:
-Don't use an unsigned cert on production servers!
-Always surface a warning letting your user decide whether to accept the cert or not.