Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 1174 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS and HTTPS scanning with apps that use certificate pinning issue.

J F

Hello, 

I'm not sure where to put this but here goes. 

I have set up HTTPS scanning on my network and pushed both the SSL certificate and the CA certificate to the iOS devices. I installed the profile and made sure the the certificates are trusted under root. 

The problem that I have found is that some apps use a certificate pinned in the app itself and don't trust the apple certificates on the device. The problem that then happens is that when the firewall decrypts the traffic and re-encrypts it, the certificate is now a Sophos certificate and the app will not communicate because the certificate does not match that one inside the app and it thinks that a man in the middle attack is happening. 

Some of the apps that I found that are not compatible are; Ring doorbell, Honeywell Home Connect, Genisys Credit Union, Flagstar Bank, and I am sure there are many others. 

What can be done about this? I have a feeling that nothing can be done other then not using HTTPS scanning and to me that leaves a major security hole in your network. 



This thread was automatically locked due to age.
  • 0

    Hi,

    don't forget to check your mail scanning. I have put a lot of exceptions in place for devices that I don't think can be "compromised" or created firewall rules that only allow the device to talk to specific sites. Yes, it becomes a bit messy to maintain, but does improve my feeling of security. I have an IoT devices that has a fixed NTP address using UDP 123 that the XG thinks is a tunnel. 

    Working on building my own internal NTP server then add a rule to direct all devices use that feature.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hello JF,

    Thank you for contacting the Sophos Community!

    Please try creating an exception for https D&S for this apps so the XG doesn't try to decrypt this traffic.

    You can follow these two(1)(2) KBs as an example. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    I suspect it would work but it would remove many categories from virus scanning like financial services and general business. I was thinking of possibly a split tunnel VPN on the phone so the apps that don't work correctly can be push through the vpn and turn off https scanning on the vpn. 

  • 0 in reply to J F

    Hi,

    do you like doing things the hard way, just create firewall rules and setup exception policies for each application or create specific firewall rules and then you don’t have to worry about setting up and managing VPNs.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    yeah i guess I have reached the limit of current technology. Guess I can't break safe things for safety. 

  • 0 in reply to J F

    Hi,

    the thing with phones is when out of the home the applications can connect without supervision, so you need to aim in protecting your home environment. I isolate my IOT devices into seperate network with seperate rules.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi J F,

    I sent you a pm.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner