iOS apps needs to be written in a way to provide security to data which is being transported over network.
SSL is the common way to do it.
Whenever app tries to call web services to pull or push data to servers, it should use SSL over HTTP, i.e. HTTPS.
To do this, app must call https://server.com/part
such web services and not http://server.com/part
.
In this case, app needs to trust the server server.com
using SSL certificate.
Here is the example of validating server trust-
Implement URLSessionDelegate
as:
func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
let serverTrust:SecTrust = challenge.protectionSpace.serverTrust!
func acceptServerTrust() {
let credential:URLCredential = URLCredential(trust: serverTrust)
challenge.sender?.use(credential, for: challenge)
completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
}
let success = SSLTrustManager.shouldTrustServerTrust(serverTrust, forCert: "Server_Public_SSL_Cert")
if success {
acceptServerTrust()
return
}
}
else if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate {
completionHandler(.rejectProtectionSpace, nil);
return
}
completionHandler(.cancelAuthenticationChallenge, nil)
}
Here is trust manager: (couldn't found Swift code)
@implementation SSLTrustManager
+ (BOOL)shouldTrustServerTrust:(SecTrustRef)serverTrust forCert:(NSString*)certName {
// Load up the bundled certificate.
NSString *certPath = [[NSBundle mainBundle] pathForResource:certName ofType:@"der"];
NSData *certData = [[NSData alloc] initWithContentsOfFile:certPath];
CFDataRef certDataRef = (__bridge_retained CFDataRef)certData;
SecCertificateRef cert = SecCertificateCreateWithData(NULL, certDataRef);
// Establish a chain of trust anchored on our bundled certificate.
CFArrayRef certArrayRef = CFArrayCreate(NULL, (void *)&cert, 1, NULL);
SecTrustSetAnchorCertificates(serverTrust, certArrayRef);
// Verify that trust.
SecTrustResultType trustResult;
SecTrustEvaluate(serverTrust, &trustResult);
// Clean up.
CFRelease(certArrayRef);
CFRelease(cert);
CFRelease(certDataRef);
// Did our custom trust chain evaluate successfully?
return trustResult == kSecTrustResultUnspecified;
}
@end
Server_Public_SSL_Cert.der is servers' public SSL key.
Using this approach our app can make sure that it is communicating to the intended server and no one is intercepting the app-server communication.