Allow self signed certificates using WKWebView

Question

I have the following code but I don't know why my webview is not loading.

override func viewDidLoad() {
    super.viewDidLoad()
    loadWebview(env_url:"https://myurl.com")
}

func loadWebview(env_url : String){

    let config = WKWebViewConfiguration()
    let controller = WKUserContentController()
    config.userContentController = controller
    //only https is allowed
    let url = URL(string: env_url)
    if let optional_url = url {
        let url_request = URLRequest(url: optional_url)
        webview = WKWebView(frame: self.view.frame, configuration: config)
        webview?.load(url_request)
        webview?.allowsBackForwardNavigationGestures = true
        webview?.navigationDelegate = self
        webview?.uiDelegate = self
        view.addSubview(webview!)

    }
    else{
        showAlertDebug(message: "Invalid URL")
    }
}

extension WebViewController : WKNavigationDelegate {
func webView(_ webView: WKWebView, decidePolicyFor navigationAction: WKNavigationAction, decisionHandler: @escaping ((WKNavigationActionPolicy) -> Void)) {

    decisionHandler(.allow)
}

func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
    let cred = URLCredential(trust: challenge.protectionSpace.serverTrust!)
    completionHandler(.useCredential, cred)
}
}

extension WebViewController : WKUIDelegate {

}

Answer 1

You have to provide ATS (App Transport Security) exceptions in Info.plist in order to override the certificate verification logic. While you accept the certificate, the ATS system is still rejecting it. See NSAppTransportSecurity in the Information Property List Key Reference for details. Generally you'd want NSAllowsArbitraryLoadsInWebContent for your specific domain for this usage.

Keep in mind:

App Store Review for ATS

Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification. These keys are:

• NSAllowsArbitraryLoads
• NSAllowsArbitraryLoadsForMedia
• NSAllowsArbitraryLoadsInWebContent
• NSExceptionAllowsInsecureHTTPLoads
• NSExceptionMinimumTLSVersion

Some examples of justifications eligible for consideration are:

• Must connect to a server managed by another entity that does not support secure connections
• Must support connecting to devices that cannot be upgraded to use secure connections, and that must be accessed via public host names
• Must provide embedded web content from a variety of sources, but cannot use a class supported by the NSAllowsArbitraryLoadsInWebContent key
• App loads media content that is encrypted and that contains no personalized information

When submitting your app to the App Store, provide sufficient information for the App Store to determine why your app cannot make secure connections by default.

As a general rule, it's easier to get a commercial certificate than to manage the exceptions for managing your own root certificate (which is what "self-signed" certs really are).