3

For some users our app is throwing NSError while trying to call a secured server API using URLSession data task. Below is the detail of the error:

error-domain: NSURLErrorDomain
nserror-code: -1202

NSErrorPeerCertificateChainKey: ( "<cert(0x10a086200) s: wifisignon.shaw.ca i: DigiCert SHA2 Secure Server CA>", "<cert(0x10a04f600) s: DigiCert SHA2 Secure Server CA i: DigiCert Global Root CA>" )

NSLocalizedDescription: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “abc.xyz.net” which could put your confidential information at risk.

NSUnderlyingError: Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x282498240>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9843, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9843, kCFStreamPropertySSLPeerCertificates=( "<cert(0x10a086200) s: wifisignon.shaw.ca i: DigiCert SHA2 Secure Server CA>", "<cert(0x10a04f600) s: DigiCert SHA2 Secure Server CA i: DigiCert Global Root CA>" )}

We are using URLSession.shared.dataTask for this GET API call. Problem is this error is occurring in few user's devices (300 users out of 5000) only. Since we can not reproduce the issue in our devices it is difficult to debug and find a proper fix. If it's a server certificate issue then why not occurring in all devices with same Model and OS version?

med
  • 369
  • 1
  • 4
  • 18
  • 1
    What is the minimum iOS version required for your app (may be this is caused by old iOS versions)? Alternatively this might be an attack on network level. – Robert Jan 22 '20 at 12:11
  • Check your `plist`: https://stackoverflow.com/questions/32755674/ios9-getting-error-an-ssl-error-has-occurred-and-a-secure-connection-to-the-ser/32955793#32955793 – Rob Jan 22 '20 at 12:12
  • @Robert our app's minimum iOS version is 10.0. We are considering manual authentication of server trust using delegate. – med Jan 23 '20 at 07:46
  • @Rob That link has useful information but it suggests about how to load http URL without TLS. Our problem is we are trying to communicate with a secured server with https for which required security validation needs to be complied. Check this: https://developer.apple.com/documentation/foundation/url_loading_system/handling_an_authentication_challenge/performing_manual_server_trust_authentication#2959678 Question is why only few users are facing certificate validation error. – med Jan 23 '20 at 08:05
  • @Robert what do you suggest us to do incase its an attack on network level for those 300 users ? – med Jan 23 '20 at 08:11
  • 1
    The only correct way to handle such situations is to display an error message describing the situation (especially that there is some kind of "defect" on network level) and that therefore the app will not be able to use the Internet. Ask the user to switch to a different network. DO NOT ALLOW THE USER TO CONTINUE! – Robert Jan 23 '20 at 08:43

1 Answers1

1

You can use URLSession object with configuration,delegate rather than using URLSession.shared object. Then perform manual trust. you can find guide here https://developer.apple.com/documentation/foundation/url_loading_system/handling_an_authentication_challenge/performing_manual_server_trust_authentication

shadow24
  • 51
  • 2
  • 1
    Theoretically you are right, but practically what what should you implement in this delegate for manually trusting something if you don't have access to the "affected environment" and furthermore without knowing if the man-in-the-middle is something the user knows about (and accepts it) or a malicious hacker. – Robert Jan 23 '20 at 18:15