Comment by ChrisMarshallNY
3 years ago
This is an interesting topic, for me.
I write iOS apps, and iOS requires that all internet communications be done with HTTPS.
It is possible to use self-signed certs, but you need to do a bit of work on the software, to validate and approve them. I don't like doing that, as I consider it a potential security vector (you are constantly reading about development code that is compiled into release product, and subsequently leveraged by crooks).
I am working on a full-stack system. I can run the backend on my laptop, but the app won't connect to it, unless I do the self-signed workaround.
It's easier for me to just leave the backend on the hosted server. I hardly ever need to work on that part.
For the project I'm working on currently, I use Charles Proxy's "Map Remote" function to map our UAT server's HTTPS url to my local machines HTTP URL.
Also ngrok.com works really well if you need to give other people access to your dev environment.
> I use Charles Proxy's "Map Remote" function to map our UAT server's HTTPS url to my local machines HTTP URL.
This looks really interesting. Thanks! I'll see if I can get away with it.
If you create a custom SSL CA, you can add that CA to your ios devices and simulators, and they will trust your backend served with an SSL certificate issued by your custom CA, no app modifications needed. (On modern Android, this does not work out of the box - it requires the custom SSL CA fingerprints to be added to a network configuration file embedded in the app - but you could always use gradle flavors and only add it to your debug/development builds)
> I write iOS apps, and iOS requires that all internet communications be done with HTTPS
What if the app is on the same network as the server?
I've got a Denon A/V receiver that has an HTTP interface and the Denon iOS app is able to talk to it. I've watched this via a packet sniffer and it definitely is using plain HTTP.
> I've got a Denon A/V receiver that has an HTTP interface and the Denon iOS app is able to talk to it. I've watched this via a packet sniffer and it definitely is using plain HTTP.
That's interesting. I wonder why Apple let that go by. I've had apps rejected, because they wouldn't use HTTPS. Maybe it's OK for a local WiFi connection. Even then, Apple has been fairly strict.
That said, I think that there are ways to register for exceptions.
Yeah same with a couple of apps I use, WLED, and HomeAssistant both work on HTTP.