Alternative method for NSURLRequest's private "setAllowsAnyHTTPSCertificate:forHost:"?

Question

My iPhone application was rejected solely for using the (very safe, it seems) private method +setAllowsAnyHTTPSCertificate:forHost: for NSURLRequest. Is there a non-private API to emulate this functionality?

Why do you want to allow invalid HTTPs certificates in the first place? — Javier Soto, Jun 20 '12 at 17:49
Hi.. your issue is resolved but for that have you exclude above method in your source code? — Sunil Targe, Jul 25 '13 at 06:26

score 7 · Accepted Answer · edited May 23 '17 at 12:32

7

There seems to be a public API for that ;) How to use NSURLConnection to connect with SSL for an untrusted cert?

edited May 23 '17 at 12:32

Community

1
1

answered Jan 27 '10 at 08:23

yonel

7,855
2
44
51

Thank you! Strange that Google didn't turn up this. – Michael Feb 01 '10 at 02:31

score 6 · Answer 2 · answered Sep 14 '11 at 21:07

6

Actually, I'm testing with 10.6.8 and this code still works -- it's using the private API but checking that the selector exists (myurl is the NSURL I'm trying to load into a WebView or an NSURLConnection):

SEL selx = NSSelectorFromString(@"setAllowsAnyHTTPSCertificate:forHost:");
if ( [NSURLRequest respondsToSelector: selx] )
{
    IMP fp;

    fp = [NSURLRequest methodForSelector:selx];

    (fp)([NSURLRequest class], selx, YES, [myurl host]);
}

Note that "@selector" wasn't used so that absolutely all the work would be done at runtime. That makes it about as safe and as hidden from Apple's checks as can be, especially if you obscure the string.

answered Sep 14 '11 at 21:07

JustSomeGuyYouKnow

61
1
1

1

Not a recommended solution: (1) you don't give your user the option to accept or not. (2) You're writing in a public forum if Apple happens upon it they might get wise to it. (3) See Yonel's answer: http://stackoverflow.com/a/2145367/818352 – George May 04 '12 at 20:08
Just wanted to say that this worked for me until the 5S and iPad Air came out - crashes here (on the cast) on either of those devices. – Luke Dec 02 '13 at 14:17

Michael · Answer 3 · 2010-01-09T19:28:54.053

1

One really stupid workaround is to make your own category method:

@implementation NSURLRequest (IgnoreSSL)

+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}

@end

This should get by Apple's private API checks, but it's still the same thing (using a private, undocumented API[1] that is liable to break at any time). Actually, it's worse since it allows everything, not just that host.

[1]: An private API that should be made public, but a private API nevertheless.

edited Jan 09 '10 at 19:28

answered Jan 04 '10 at 21:10

Michael

11,612
10
41
43

1

From what I know of it, this will still not pass Apple's checks, as they appear to use a rather simple analysis based purely on selectors, not their usage. – Mike Abdullah Jan 05 '10 at 00:21
@Mike: Are you sure? I am not "using" the selector at all, only redefining it. It is Apple's internals that call it. Granted, this is not at all safe, but I don't see how it wouldn't pass Apple's checks. – Michael Jan 09 '10 at 20:14
1

This way will definitely get your app rejected. – Franklin Jul 11 '12 at 12:00

score 0 · Answer 4 · edited Feb 07 '12 at 10:35

0

Not a solution, but a suggestion. Have you thought about using ASIHttpRequest Framework for this? This framework is complete in all aspects. Check the documentation, maybe it can help you too.

edited Feb 07 '12 at 10:35

Nils Munch

8,805
11
51
103

answered Jan 05 '10 at 12:22

Madhup Singh Yadav

8,110
7
51
84

score 0 · Answer 5 · answered Jan 06 '11 at 23:25

0

setAllowsAnyHTTPSCertificate seems to now be unsupported in OS X 10.6.6 altogether.

Did I say 10.6.6? Perhaps I should have said "Snow Vista".

answered Jan 06 '11 at 23:25

billy

11
1

Alternative method for NSURLRequest's private "setAllowsAnyHTTPSCertificate:forHost:"?

5 Answers5

Linked