This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS and HTTPS scanning with apps that use certificate pinning issue.

Hello,

I'm not sure where to put this but here goes.

I have set up HTTPS scanning on my network and pushed both the SSL certificate and the CA certificate to the iOS devices. I installed the profile and made sure the the certificates are trusted under root.

The problem that I have found is that some apps use a certificate pinned in the app itself and don't trust the apple certificates on the device. The problem that then happens is that when the firewall decrypts the traffic and re-encrypts it, the certificate is now a Sophos certificate and the app will not communicate because the certificate does not match that one inside the app and it thinks that a man in the middle attack is happening.

Some of the apps that I found that are not compatible are; Ring doorbell, Honeywell Home Connect, Genisys Credit Union, Flagstar Bank, and I am sure there are many others.

What can be done about this? I have a feeling that nothing can be done other then not using HTTPS scanning and to me that leaves a major security hole in your network.

This thread was automatically locked due to age.

Parents

0 emmosophos over 5 years ago

Hello JF,

Thank you for contacting the Sophos Community!

Please try creating an exception for https D&S for this apps so the XG doesn't try to decrypt this traffic.

You can follow these two(1)(2) KBs as an example.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 J F over 5 years ago in reply to emmosophos

I suspect it would work but it would remove many categories from virus scanning like financial services and general business. I was thinking of possibly a split tunnel VPN on the phone so the apps that don't work correctly can be push through the vpn and turn off https scanning on the vpn.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to J F

Hi,

do you like doing things the hard way, just create firewall rules and setup exception policies for each application or create specific firewall rules and then you don’t have to worry about setting up and managing VPNs.

ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 J F over 5 years ago in reply to rfcat_vk

yeah i guess I have reached the limit of current technology. Guess I can't break safe things for safety.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to J F

Hi,

the thing with phones is when out of the home the applications can connect without supervision, so you need to aim in protecting your home environment. I isolate my IOT devices into seperate network with seperate rules.

ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 5 years ago in reply to J F

Hi,

the thing with phones is when out of the home the applications can connect without supervision, so you need to aim in protecting your home environment. I isolate my IOT devices into seperate network with seperate rules.

ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk over 5 years ago in reply to rfcat_vk

Hi J F,

I sent you a pm.

ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel