NSAppTransportSecurity + NSAllowsArbitraryLoads on iOS 12

Question

There used to be a way to work around iOS' insistance on HTTPs with valid certs. I'm not interested in submitting the app to the store in this state I just want to snif network operations with Charles while developing the app.

Thanks

I tried

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

...and every other variations commonly found online.

There has to be a way...

Answer 1

You Can user below code for SSL Requests using URLSessionRequest,

 fileprivate func SSLCertificateCreateTrustResult(_ serverTrust: SecTrust)->SecTrustResultType {
        let certificate: SecCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0)!
        let remoteCertificateData = CFBridgingRetain(SecCertificateCopyData(certificate))!
        var certName = "certName"

        let cerPath: String = Bundle.main.path(forResource: certName, ofType: "der")!
        let localCertificateData = NSData(contentsOfFile:cerPath)!

        let certDataRef = localCertificateData as CFData
        let cert = (SecCertificateCreateWithData(nil, certDataRef))
        let certArrayRef = [cert] as CFArray
        SecTrustSetAnchorCertificates(serverTrust, certArrayRef)
        SecTrustSetAnchorCertificatesOnly(serverTrust, false)
        let trustResult: SecTrustResultType = SecTrustResultType.invalid
        return trustResult
    }
    func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
        if challenge.protectionSpace.authenticationMethod == (NSURLAuthenticationMethodServerTrust) {
            let serverTrust:SecTrust = challenge.protectionSpace.serverTrust!
            var localCertificateTrust = SSLCertificateCreateTrustResult(serverTrust)
            SecTrustEvaluate(serverTrust, &localCertificateTrust)
            if localCertificateTrust == SecTrustResultType.unspecified || localCertificateTrust == SecTrustResultType.proceed || localCertificateTrust == SecTrustResultType.recoverableTrustFailure
            {
                let credential:URLCredential = URLCredential(trust: serverTrust)
                challenge.sender?.use(credential, for: challenge)
                completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))

            } else {
                let properties = SecTrustCopyProperties(serverTrust)
                completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil)
            }
        }
        else
        {
            completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil);
        }
    }

In Condition

if localCertificateTrust == SecTrustResultType.unspecified || localCertificateTrust == SecTrustResultType.proceed || localCertificateTrust == SecTrustResultType.recoverableTrustFailure

below types are for Valid certificates

SecTrustResultType.unspecified , SecTrustResultType.proceed

for Invalid certificate SecTrustResultType.recoverableTrustFailure

i have added all above three in || condition so to work with valid and invalid certificate in case you want to remove for any you can remove other types