HTTP digest authentication fail due to wrong nonce-count in iOS 10

Question

HTTP digest authentication no longer works in our app since iOS 10 due to wrong nonce-count in Authorization: Digest header generated by NSURLSession.

The same code

Answer 1

We have the same problem in our company as described here: Cordova app can't connect with Dynamics NAV Web-Service (ODATA) after update to iOS 10

We can reproduce the issue both in our App and the Safari Browser with iOS 10 devices. There does not seem to be a simple client side workaround. We opened a Bug Report with Apple.

Answer 2

In our case the problem was solved with the 10.2 Beta release.

Answer 3

Apple Developer Technical Support confirm that is a bug of iOS 10. Hope it will be fixed soon.

Thank you for contacting Apple Developer Technical Support (DTS). We believe this issue is a bug. Please file a bug report using the Bug Reporter tool https://developer.apple.com/bug-reporting/.

Update: Apple fixed this issue in iOS 10.2 Beta 3

Answer 4

Chances are, the OS is sending a HEAD request first, and your server-side code isn't getting it. I would try running Charles Proxy to verify that this is what's happening.

That said, skipping a nonce count is not inherently an indication of any sort of attack. It could occur even in iOS 9 if a request got lost somehow (e.g. a network error). What's important is to ensure that the count doesn't go backwards. So I would argue that your server code is buggy and should not be rejecting that to begin with.