Is a signed SSL certificate required for Worklight development?

Question

I\'m working on a demo in Worklight version 6.0 where I need to use SSL from iOS and Android to the Worklight Server.

Is there any way to use a self-signed or test c

Answer 1

OK. I didn't find a general purpose answer, or a way to accept a particular certificate, but on iOS and Android, it is possible to disable client side certificate validation for development and test.

In Android, the default Manifest is already configured to ignore certificate validation. By default, the Application element in AndroidManifest.xml has an attribute:

android:debuggable="true"

With this setting, the client does not validate the SSL certificate presented by the server. So on Android, self-signed certs just work by default. The important thing to keep in mind is that when you move from development to production, it is important to set this attribute to false. When the attribute is set to false, the client validates the cert presented by the server, and so you will need a real signed cert for the production server. (makes sense)

In iOS, there are several proposed solutions, The one I'm using is to add the following to the end of my < App Name >.m file:

@implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}
@end

From what I gather, this is a unpublished API, and overriding it is bad form, but it works, and this is only for development, so I'm going with it.

I suppose I could be clever, and check for the hostname of my Worklight Server before blindly returning YES, but in any case, the addition of the code above does allow my app to use SSL with a self signed cert at the worklight server.

Both of these "solutions" need to be removed before the app is put into production, as they leave the app vulnerable to a man-in-the-middle attack. But for development/early test/demo they allow SSL without having to get real signed certificates.