ios cordova ionic-framework ssl-certificate self-signed

How to Bypass SSL check in iOS 11 using Ionic Cordova framework and self signed certificate

In my app I need to call some REST API service calls. The certificate on the target development server where REST API services are deployed is self signed. So when I am running app I am getting error like:

Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.10.20:8080” invalid.....which could put your confidential information at risk.

As this server is only for dev/testing purpose so I simply wants to ignore ssl check ... How can I achieve it? I tried following way: [AppDelegate.m file] but didn't succeeded as below code is not working in iOS 11 ...

@implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}
@end

I am using ionic 3 & Cordova 7 in my app.

Solution

Interestingly, I am just researching the same problem. Looks like in iOS 11 things are a bit more restricted. I am answering here for WKWebView.

In essence you need to do:

place custom auth code to the WKWebView plugin code
load resource directly from Cordova (then WKWebView events gets properly triggered)
disable ATS (NSAppTransportSecurity)

Detail description

What you should do in detail is the following (if you are using WKWebView):

You need to modify CDVWKWebViewEngine.m (plugin code). You need to add there:

- (void)webView:(WKWebView *)webView
didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge 
*)challenge completionHandler:(void (^)
(NSURLSessionAuthChallengeDisposition 
disposition, NSURLCredential *credential))completionHandler {
    SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
    completionHandler(NSURLSessionAuthChallengeUseCredential, 
    [NSURLCredential credentialForTrust:serverTrust]);
}

However, please note - this only works when WKWebView is initialized (i.e. loaded via cordova framework).

So you need to load your application also from that URI where API is. I presume you have local network (self signed certificate), so this should not be a problem. If you will load application locally (i.e. from index.html) then this wont work!

Additionally you need to disable iOS ATS in application *.plist setting file like:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

This is what works for me.

Additional resources:

Very nice testing site for different SSL scenarios (including self signed): https://badssl.com/
Apple forum discussion on this topic: https://forums.developer.apple.com/message/269452#269452

Disclamer: Disabling certificate check should be avoided, use this only if you have a very good reason or other restrictions. You still have communication security, but you have no trust. Hence men in the middle attack is possible! If you decide to go with this option, you should also use certificate pinning to make things more secure.