3

https://cordova.apache.org/docs/en/8.x/guide/appdev/security/index.html mentions that

The reason is that accepting self-signed certificates bypasses the certificate chain validation, which allows any server certificate to be considered valid by the device.

  • Does this mean that as soon as an iOS device trusts any self-signed certificate any SSL traffic (from any app) is insecure?
  • If yes, what’s the recommended way by Apple how to handle this (I believe I can’t prevent a user from trusting a self-signed certificate for any reason). Can I somehow check if any such certificate is trusted (in this example I use Cordova).
  • Or does this mean only for a connection where a self-singed certificate is applied no SSL validation is executed?
Dunken
  • 8,481
  • 7
  • 54
  • 87

2 Answers2

1

When using Cordova on iOS, if you want to use self signed certificates you have to add this code to your app.

@implementation NSURLRequest(DataController) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host { return YES; } @end

So that's probably what this means

The reason is that accepting self-signed certificates bypasses the certificate chain validation, which allows any server certificate to be considered valid by the device.

Unlike Android, this is an all or nothing, once you add that all the validations are skipped.

Adding that only affects your app, not other apps, but it affects all the connections your WebView does. So it makes your app highly insecure as people could easily do man in the middle attacks.

jcesarmobile
  • 51,328
  • 11
  • 132
  • 176
0

SSL is installed on the server. So this is about an SSL certificate that is not issued by some CA(Certification Authority). A proper certificate is the one that is issued from some authentic CA like Verisign so that it can be validated by the Android or iOS device by verifying the chain of trust.

This doesn't involve any certificate installed on the mobile device itself, either iOS or Android.

For further clarification between self-signed certificate and a ca certificate check this SO answer.

HAK
  • 2,023
  • 19
  • 26
  • Thanks. I know the difference. Maybe my question is slightly misleading: I've been talking about the case if the client trusts a self-signed certificate. – Dunken Jun 07 '18 at 16:05
  • Ok. So you wanna know what happens when during the ssh handshake instead of a proper certificate, client sees a self-signed certificate instead? – HAK Jun 07 '18 at 20:07
  • Yes, in case of a Cordova app on iOS. I'm concerned about the statement of Cordoba. It's not like this on Android: on Android if I trust a s-s-cert this doesn't mean I accept ANY s-s-cert. – Dunken Jun 08 '18 at 05:07