Comment by tadfisher
Comment by tadfisher 2 days ago
Apple isn't doing certificate pinning, it's the apps verifying the certificate chain themselves by baking in public keys (or hashes/fingerprints). So there's not really a way for Apple to break this.
Apple could say "If you wanna talk HTTPS, you have to use our HTTPSClient class, and that only supports using the system certificate store and does not support pinning".
Or they could say "All apps that don't support custom certificates for https will be denied app store approval".