Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 1177 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS and HTTPS scanning with apps that use certificate pinning issue.

J F

Hello, 

I'm not sure where to put this but here goes. 

I have set up HTTPS scanning on my network and pushed both the SSL certificate and the CA certificate to the iOS devices. I installed the profile and made sure the the certificates are trusted under root. 

The problem that I have found is that some apps use a certificate pinned in the app itself and don't trust the apple certificates on the device. The problem that then happens is that when the firewall decrypts the traffic and re-encrypts it, the certificate is now a Sophos certificate and the app will not communicate because the certificate does not match that one inside the app and it thinks that a man in the middle attack is happening. 

Some of the apps that I found that are not compatible are; Ring doorbell, Honeywell Home Connect, Genisys Credit Union, Flagstar Bank, and I am sure there are many others. 

What can be done about this? I have a feeling that nothing can be done other then not using HTTPS scanning and to me that leaves a major security hole in your network. 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    I suspect it would work but it would remove many categories from virus scanning like financial services and general business. I was thinking of possibly a split tunnel VPN on the phone so the apps that don't work correctly can be push through the vpn and turn off https scanning on the vpn. 

  • 0 in reply to J F

    Hi,

    do you like doing things the hard way, just create firewall rules and setup exception policies for each application or create specific firewall rules and then you don’t have to worry about setting up and managing VPNs.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    yeah i guess I have reached the limit of current technology. Guess I can't break safe things for safety. 

  • 0 in reply to J F

    Hi,

    the thing with phones is when out of the home the applications can connect without supervision, so you need to aim in protecting your home environment. I isolate my IOT devices into seperate network with seperate rules.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi J F,

    I sent you a pm.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner