Prevent SSL Handshake with User Installed Certificates

Question

Created Jul ’25

Replies 4

Boosts 1

Participants 2

how can I prevent handshake when certificate is user installed for example if user is using Proxyman or Charles proxy and they install their own certificates now system is trusting those certificates I wanna prevent that, and exclude those certificates that are installed by user, and accept the handshake if CA certificate is in a real valid certificate defined in OS

I know this can be done in android by setting something like 
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

Answered by DTS Engineer in 851678022

If you’re using our high-level HTTP APIs — that is, URLSession or another built on top of it — then you can take advantage of the certificate pinning support in App Transport Security. See the NSPinnedDomains documentation.

IMPORTANT Certificate pinning is a two-edged sword. It lets you block debugging HTTP proxies but it also prevents your app from working in certain high-security environments, which use the same underlying technique to implement TLS inspection.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’25

Recommended

If you’re using our high-level HTTP APIs — that is, URLSession or another built on top of it — then you can take advantage of the certificate pinning support in App Transport Security. See the NSPinnedDomains documentation.

IMPORTANT Certificate pinning is a two-edged sword. It lets you block debugging HTTP proxies but it also prevents your app from working in certain high-security environments, which use the same underlying technique to implement TLS inspection.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

ka_taa_na OP

Aug ’25

@DTS Engineer the thing is we are using Cloudflare and apparently for security reasons they rotate certificates and certificate chain might change (Intermediate and Root) so how we can do the pinning?

in android there is this option that you only trust system default certificates and exclude user installed ones

can't I exclude user installed certificates?(apparently when user enables and trusts it, it goes into system trusted certificates category)
if not what do you suggest

0

Answer 3

DTS Engineer OP

Apple

Aug ’25

so how we can do the pinning?

I can’t offer advice specific to your third-party hosting service. Given that you have documentation about the features offered by NSPinnedDomains, I recommend that you discuss your hosting provider.

can't I exclude user installed certificates?

Not with the current NSPinnedDomains feature set. But, hey, that sounds like a perfectly reasonable enhancement request for that API.

If you file such an ER, please post your bug number, just for the record.

You could add your own additional checks by handling the NSURLAuthenticationMethodServerTrust authentication challenge, but that has some caveats:

There’s no good way to determine whether the chain of trust leads to a built-in CA [1].
This technique only works for APIs, like URLSession, that let you customise HTTPS server trust evaluation. Not all APIs have that facility.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On iOS. On macOS you might have more options here, but I get the feeling that you’re not targeting macOS. If I’m wrong, let me know.

0

Answer 4

ka_taa_na OP

Aug ’25

@DTS Engineer Thanks for your time and information eskimo,

Filed a request in Feedback Assistant app with bug number of

FB19360431

Hope they address it since it is really useful for all sort of applications.

0