Comment by derefr

Or you could ignore the self-signed aspect altogether, and instead give the OS VPN framework (where all network introspection stuff lives on iOS) a hook into the forced-choice HTTPS client — a hook that allows the active system VPN to say either “show me that before you encrypt it / after you decrypt it” or “don’t bother encrypting/decrypting that; I’ll handle it.”

Where, in the latter case, the TLS establishment is opaque, but then the VPN is handed the data that would be going through the TLS logic, plus an (also-opaque) handle to the established TLS-session RSA key, that it can use to finish the encryption/decryption process of each stream-chunk on behalf of the app, after doing whatever filtering / transformation / etc. it wants to do.

(Anyone remember Privoxy, the “MITM that works for you” that presaged most of the in-client features of Tor Browser? Same idea; just now with OS support.)