Fortunately, by default, SSL validation is turned on in Apple’s SDK.
Applications using the standard foundation classes for making web queries
will error out when they attempt to fetch data from a site whose SSL
certificate doesn’t check out. For example, the
stringWithContentsOfURL function will return
nil if the remote resource has an
invalid or self-signed certificate. The
NSURLConnection class will return an error under
the same conditions.
But applications using more low-level functions, C or C++ socket functions, or external libraries such as libcurl may need to watch to ensure that their SSL is being validated. Figure 9-8 shows what happens with validation. Without validation, no dialog would be displayed and the data would be transmitted to an insecure host.
Figure 9-8. PayPal’s mobile application doing what it’s supposed to do when the connection can’t be trusted.
Developers can write applications to specifically disable SSL
validation in order to work with websites having self-signed
certificates. Unfortunately, this also undermines the entire integrity
of SSL validation, as an attacker can also use the same code to infect
applications. The following two methods can be added to any
NSURLConnection delegate class to disable all
SSL validation for the connections that notify that class.
- (void) connection:(NSURLConnection ...