My iPhone application was rejected solely for using the (very safe, it seems) private method +setAllowsAnyHTTPSCertificate:forHost:
for NSURLRequest. Is there a
setAllowsAnyHTTPSCertificate seems to now be unsupported in OS X 10.6.6 altogether.
Did I say 10.6.6? Perhaps I should have said "Snow Vista".
Actually, I'm testing with 10.6.8 and this code still works -- it's using the private API but checking that the selector exists (myurl is the NSURL I'm trying to load into a WebView or an NSURLConnection):
SEL selx = NSSelectorFromString(@"setAllowsAnyHTTPSCertificate:forHost:");
if ( [NSURLRequest respondsToSelector: selx] )
{
IMP fp;
fp = [NSURLRequest methodForSelector:selx];
(fp)([NSURLRequest class], selx, YES, [myurl host]);
}
Note that "@selector" wasn't used so that absolutely all the work would be done at runtime. That makes it about as safe and as hidden from Apple's checks as can be, especially if you obscure the string.
There seems to be a public API for that ;) How to use NSURLConnection to connect with SSL for an untrusted cert?
Not a solution, but a suggestion. Have you thought about using ASIHttpRequest Framework for this? This framework is complete in all aspects. Check the documentation, maybe it can help you too.
One really stupid workaround is to make your own category method:
@implementation NSURLRequest (IgnoreSSL)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
@end
This should get by Apple's private API checks, but it's still the same thing (using a private, undocumented API[1] that is liable to break at any time). Actually, it's worse since it allows everything, not just that host.
[1]: An private API that should be made public, but a private API nevertheless.