rysasahrialWhen building iOS apps that interact with the internet, securing your network requests is crucial to ensure the safety and privacy of your users. Swift offers powerful tools and APIs to make secure network calls using best practices such as HTTPS, certificate pinning, and proper error handling.
In this article, we’ll explore how to make secure network requests in Swift using URLSession, handle authentication challenges, and validate SSL/TLS certificates. We’ll also touch on how to prevent man-in-the-middle (MITM) attacks and ensure your data transmissions are encrypted and protected.
1. Use HTTPS for All Requests
Always use HTTPS instead of HTTP. Apple enforces this through App Transport Security (ATS), which blocks any insecure HTTP connection unless explicitly allowed in your app’s Info.plist. To ensure compliance and avoid App Store rejection, configure your backend to support HTTPS with a valid SSL certificate.
2. Making a Basic Secure Request
Here’s an example of how to make a secure GET request in Swift:
import Foundation
guard let url = URL(string: "https://api.example.com/data") else { return }
let task = URLSession.shared.dataTask(with: url) { data, response, error in
if let error = error {
print("Request failed: \(error)")
return
}
if let data = data {
print("Received data: \(data)")
}
}
task.resume()
This simple request already benefits from ATS and will be blocked if the server does not use HTTPS.
3. Implement SSL Pinning
SSL pinning adds an additional layer of security by validating the server’s certificate or public key. This mitigates the risk of MITM attacks, even if a malicious certificate authority is involved.
Here’s a basic implementation using URLSessionDelegate:
class SecureSessionDelegate: NSObject, URLSessionDelegate {
func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge,
completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
if let serverTrust = challenge.protectionSpace.serverTrust,
SecTrustEvaluateWithError(serverTrust, nil) {
let credential = URLCredential(trust: serverTrust)
completionHandler(.useCredential, credential)
} else {
completionHandler(.cancelAuthenticationChallenge, nil)
}
}
}
Attach this delegate when creating a custom URLSession to validate certificates manually.
4. Use Custom Headers for Authorization
When working with APIs that require authentication, always pass your token securely in the headers:
var request = URLRequest(url: URL(string: "https://api.example.com/secure-data")!)
request.setValue("Bearer YOUR_API_TOKEN", forHTTPHeaderField: "Authorization")
Ensure that tokens are stored securely in the Keychain, not in plain text or UserDefaults.
5. Handle Errors Gracefully
Secure requests are also about handling failures. Always validate HTTP response codes and gracefully handle network issues or expired tokens to enhance UX and security.
6. Additional Best Practices
- Disable caching for sensitive data.
- Avoid logging sensitive request or response data.
- Regularly audit and update SSL certificates.
- Use tools like Charles Proxy or OWASP ZAP to test your app’s network security.
By following these best practices, you can ensure your Swift app communicates securely over the network and protects user data effectively.
