iPhone users inside China experiencing strange Trust-Failed certificate errors

[Devin-Licastro]

My iOS app is used in many countries around the world, but we've been getting consistent reports from users only in China where these weird certificate trust errors pop up when the app starts up.

My app is 100% not trying to connect to any of the domains in these errors, it is only communicating with our own API.

Each time the issue is reported there is a different domain name in the image. We've had a single user report multiple different domains.

The errors also only pop up maybe 0.01% of the time. i.e. once every 100 times the app opens.

Do we have any idea what might be causing it or how to prevent it? The app works fine afterward so if we can just prevent this error from showing, then all would be good. The users also all swear that it is only our app that has this issue and they've never seen it in any other cases.

3 examples below:

[Devin-Licastro]

Would this update potentially allow me to prevent these popups? https://github.com/airsdk/Adobe-Runtime-Support/issues/1453

Unfortunately, I don't have a reliable way to cause them to happen so it will be hard to test, but is that what the update: loader.addEventListener("certificateError", certificateError); Is meant to handle?

Should I be able to add that listener with an empty function to potentially make these go away?

[ajwfrost]

Hi

The update there is just for certificates that are self-signed, so it wouldn't actually make a difference here where the error is that the certificate name does not match the input. Typically, this sort of error happens when something is trying to do a redirect - so for example, if you're on a hotel wifi and try to reach www.something.com, often the hotel will first redirect you to their own website to ask you to sign in. We get similar issues here on work devices where there's a URL that's blocked by our DNS filtering, it redirects us to a site to show the blocked info, but the new URL has a certificate that's different from the expected one..

I would add that I think we used to have a problem where we sometimes didn't check the correct details when there were multiple requests happening - within the iOS system, which seems a bit of a security flaw to me ... i.e. we get a notification that there's a certificate error, from a background thread, and we then request a UI pop-up in the main thread. But by the time we get to that main thread execution, the OS has updated the string that's stored in the variable from which we got the URL/certificate name, resulting in the wrong name being presented to the user... So, please do check that this still happens with the latest AIR SDK before anything else!

If it's still happening .. I guess we should be able to prevent any such pop-ups, even if we then go with the default behaviour of rejecting the dodgy connection. So per your suggestion, just making the error notes go away. Will check how best to do this; for self-signed certificates, then yes adding an empty handler would mean the default behaviour is automatically applied (i.e. reject) so we could extend that to other failure types, which was something that had been requested.. but the asynchronous nature of all this makes it a little challenging sometimes!

If you're able to confirm which build of the AIR SDK you were using here, we can check and see whether a further update is needed so that people can hide such errors..

thanks

[Devin-Licastro]

Thanks for all the info Andrew. My iOS version last used air 50.2.3.3 and we haven't released an update with a newer SDK yet. I'll try upgrading Air for the next update and see if these go away.