[Owasp-igoat-project] iOS Application testing

Sean Eidemiller sean at krvw.com
Fri Sep 9 09:38:06 EDT 2011


Hi Syh,

You can programmatically instruct an iOS app to accept an untrusted certificate by implementing the following NSURLConnection delegate methods...

/*
- (BOOL)connection:(NSURLConnection *)connection
    canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
    
    return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (void)connection:(NSURLConnection *)connection
    didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
	
    [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]
		 forAuthenticationChallenge:challenge];
}
*/

However, it sounds like you're trying to test an app that you yourself did NOT write. Am I correct?

In that case, you'll have to install the SSL certificate used by the proxy on your iOS device, and you may find this thread to be helpful...

http://forums.whirlpool.net.au/archive/1018847

Additionally...

http://blog.charlies-server.com/2009/10/30/install-custom-ssl-root-certificatekey-on-iphone

Good luck!

-Sean

On Sep 9, 2011, at 8:57 AM, Seyyah Seyyah wrote:
> Hi all,
> I'm trying to test some iOS apps that use SSL certificates. I'm trying to intercept the device (iPhone, iPad, iPod) traffic by setting my laptop as a proxy from iOS device and sending all traffic via laptop. I use a proxy app on laptop (BurpSuite, Charles Proxy, Webscarab, Paros Proxy etc.) and i can intercept the iOS device's safari browser traffic.
> The main problem is; when i use the same method for iOS apps, i got error messages like "The certificicate is not valid" or "The internet connection is not available, please check your internet connection".
> I'm sure that there is no problem with my internet connection. I think the problem is; I'm trying to intercept the SSL traffic, i need to accept the unsigned certificate of the proxy. There is an option to accept the certificate on Safari browser but in iOS apps you can not accept the untrusted certificates by saying "i'm aware of the danger". 
> As a result, i stucked. If you have any ideas about my problem, I'll be appreciated.
> 
> thanks
> Syh
> _______________________________________________
> Owasp-igoat-project mailing list
> Owasp-igoat-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-igoat-project



More information about the Owasp-igoat-project mailing list