Our app has "allow arbitrary loads" in the "App Transport Security Settings" and generally allows both "http" and "https" connections. I want to restrict basic authentication usage to secure connections only, what is the best way to do that?
I have URLSessionTaskDelegate's:
func urlSession(_ session: URLSession, task: URLSessionTask, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
where I can put the relevant logic, but how do I check if the connection attempt in question is happening over TLS or not? I can check task.currentRequest.url scheme being "http" vs "https", and port being nil vs 80 vs 443, but I hope there is a more robust check.
I can check task.currentRequest.url scheme being
httpvshttps
The droid you’re looking for is the receivesCredentialSecurely property on the protection space.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"