CocoaHTTPServer - Does apple reject the app if it is running a HTTPS server in the mobile side?

I was able to create an HTTPS server using https://github.com/robbiehanson/CocoaHTTPServer/tree/master/Samples/iPhoneHTTPServer


I faced the same issue related to a certificate and I have resolved below but I want to know it will not be rejected in the Appstore.


1. Created an SSL certificate using keychain access

2. That is successfully added to the keychain

3. I explicitly marked that certificate as trusted one fro this account so I can see the plus symbol on that certificate

4. I exported this certificate from keychain and named as TestCertificate.p12 and included in the app’s bundle

5. I have made the changes in the code as below to mentioned this as secured server

6. Changed the method to provide the certificate


* Note: In order to support secure connections, the sslIdentityAndCertificates method must be implemented.
**/
- (BOOL)isSecureServer
{
  HTTPLogTrace();
  return YES;
}



7. Changed this method to provide the certificate for the secured connection which is available in the app’s bundle named “TestCertificate”

8. When the HTTPS server is started the certificate will be used as below


- (NSArray *)sslIdentityAndCertificates
{
    SecIdentityRef identityRef = NULL;
    SecCertificateRef certificateRef = NULL;
    SecTrustRef trustRef = NULL;

    NSString *thePath = [[NSBundle mainBundle] pathForResource:@"TestCertificate" ofType:@"p12"];
    NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];
    CFDataRef inPKCS12Data = (CFDataRef)CFBridgingRetain(PKCS12Data);
    CFStringRef password = CFSTR("test123");
    const void *keys[] = { kSecImportExportPassphrase };
    const void *values[] = { password };
    CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);

    OSStatus securityError = errSecSuccess;
    securityError =  SecPKCS12Import(inPKCS12Data, optionsDictionary, &items);
    if (securityError == 0) {
        CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0);
        const void *tempIdentity = NULL;
        tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity);
        identityRef = (SecIdentityRef)tempIdentity;
        const void *tempTrust = NULL;
        tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust);
        trustRef = (SecTrustRef)tempTrust;
    } else {
        NSLog(@"Failed with error code %d",(int)securityError);
        return nil;
    }

    SecIdentityCopyCertificate(identityRef, &certificateRef);
    NSArray *result = [[NSArray alloc] initWithObjects:(id)CFBridgingRelease(identityRef), (id)CFBridgingRelease(certificateRef), nil];

    return result;
}



9. Server started successfully and when I start the request from web view to my local HTTPS server I received the authentication challenge I resolved this as below


- (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
{
    /
    SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
    CFDataRef exceptions = SecTrustCopyExceptions (serverTrust);
    SecTrustSetExceptions (serverTrust, exceptions);
    CFRelease (exceptions);
    completionHandler (NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:serverTrust]);
}



10. My questions are below

> Does Apple reject the app which runs an HTTPS server inside of the application?

> If Apple doesn’t reject then can I use the COCOAHTTPServer library

> In the above implementation, Whether the SSL certificate enough for production?

> If not, then can I use any development/ Appstore certificate created from member centre?

> If not then how can I get a certificate in order to run the HTTPS server on the iPhone?

/discussion/https:/ <p class=

Replies

Hello jailani,

No one, including Apple, can tell you ahead of time if your app will be rejected or not.

What that means is that you have to decide how you are going to implement the app first, and implement it, then see if Apple will allow it.

Apple's rejections are generally based on violations of the app guidelines. The guidelines typically focus on the functionality (or lack thereof) of the app in question. As long as your app doesn't impact security, battery use, Apple software, or otherwise interfere with the device, then Apple doesn't really care how you implement it. (And remember, I'm not Apple, so nothing I say on this matter really matters.)

As for HTTPS and certificates, I don't know why you would want to do this at all. Are you developing a web server for iOS? Why? If you can answer that question, perhaps the rest of your question will fall into place.

On the App Review front, I largely agree with what john daniel said: only App Review can tell you for sure what will or won’t be allowed on the store, and the best you can do is following their published guidelines.

However, I’d like to ask you about your security goals. You wrote:

4. I exported this certificate from keychain and named as TestCertificate.p12 and included in the app’s bundle

Storing credentials within your app’s bundle is a very bad idea. For a start, it means that all copies of your app will use the same credential. Secondly, it’s relatively easy for an attacker to extract credentials from your app, meaning that anyone could pose as your app.

To make something reasonably secure you have to generate a unique credential for each user. That can get rather complex, and it’s hard to offer specific advice without knowing more about your use case. Can you walk us through an example of how you expect users to use your app?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo

1. I am using the third party library to set up https server https://github.com/robbiehanson/CocoaHTTPServer.

2. My application acts as the server and client that means only one client will be active at a time

3. My application is for reading eBooks. Web version of my app is already available in the web.

4. So I am using the reader module of the web version (js, html, css) in native application to load book.

5. The web reader module is designed in such a way that the communication between the reader module and whoever consumes the reader module in their app(iOS, Android, etc) should be client-server method

6. I will download the eBook ahead of time and save in the disk

7. Once the index.html is loaded in the WKWebView. The script associated with index.html will start generating https requests. Those request will be served by the server running in my app.

8. While loading the index.html, I will mention my URL ex: https://localhost:5858. The script use this as base URL and request for the eBook parts like https://localhost:5858/index.xml and https://localhost:5858/coverImage.png etc

9. This is how my app works