Comment by tadfisher 2 days ago
Apple isn't doing certificate pinning, it's the apps verifying the certificate chain themselves by baking in public keys (or hashes/fingerprints). So there's not really a way for Apple to break this.
While you're at it, make sure to have them prohibit any encryption on top of HTTPS, or apps might just be hiding things in application-level encryption schemes!
Banning certificate pinning... Do we really need mandated insecurity by prohibiting apps from doing better than trusting all Apple-trusted CAs around the world?
A better rule might be "You must use our HTTPSClient class, and it either uses the system+user trust stores, or optionally it uses an application supplied certificate authority+the user trust store".
Or you could ignore the self-signed aspect altogether, and instead give the OS VPN framework (where all network introspection stuff lives on iOS) a hook into the forced-choice HTTPS client — a hook that allows the active system VPN to say either “show me that before you encrypt it / after you decrypt it” or “don’t bother encrypting/decrypting that; I’ll handle it.”
Where, in the latter case, the TLS establishment is opaque, but then the VPN is handed the data that would be going through the TLS logic, plus an (also-opaque) handle to the established TLS-session RSA key, that it can use to finish the encryption/decryption process of each stream-chunk on behalf of the app, after doing whatever filtering / transformation / etc. it wants to do.
(Anyone remember Privoxy, the “MITM that works for you” that presaged most of the in-client features of Tor Browser? Same idea; just now with OS support.)
Actually it depends. Apple does provide a way to configure your app for certificate pinning, which then allows you to pin certificates without any changes in your code. [1]
Any apps that set up certificate pinning this way could be bypassed by Apple, though obviously there would be little value in them doing it since that'd just lead to app developers doing what you're describing instead.
Though if I'm understanding this correctly, jailbroken phones could probably bypass it by modifying an app's Info.plist and running the app despite the broken signature.
Can you not extract the key from the apps? They are only signed against modification, surely? Can you not read the data they have stored on the handset?
Generally apps like Fiddler generate their own cert which you load onto the device and accept. My understanding is this allows it intercept and re-write requests. When you do this, apps using cert. pinning will sniff out your "wrong" cert. and stop working.
Apple could say "If you wanna talk HTTPS, you have to use our HTTPSClient class, and that only supports using the system certificate store and does not support pinning".
Or they could say "All apps that don't support custom certificates for https will be denied app store approval".