Interception of apps on iOS 10.x+ and Android 7+

Updated 5 months ago by admin

The USS Gateway virtual machine is often used to intercept and control traffic on mobile devices, such as in a BYOD environment. This requires the SSL Intercept feature to be enabled and the gateway certificate to be installed on all of the devices. Installation of the certificate is made easier via the Captive Portal, an optional step to authenticate the user and provide access to the certificate download link. Once the certificate is installed and traffic is passing through the USS Gateway, visibility of app usage is available in the App Analyse report.

This article applies to some apps running on iOS v10 and Android v7 operating systems

Some app vendors are now shipping their apps with a built-in certificate (this technique is called SSL Pinning) which must be visible to the web service the app uses for communication in order for the app to function correctly. Due to this extra layer of verification, it means that SSL/TLS interception techniques can no longer be applied. This means that visibility of activity within the app is restricted and the only control options are to block the app completely or allow the app completely (by Bypassing the domains that the app uses from SSL Interception).

It is best practice to consider whether these apps are suitable for an Enterprise or Education environment given the lack of visibility that is possible.
Instead of bypassing, you can encourage users to use the web browser on their mobile device or desktop computer to access the web version of the app.
View a list of domains that require bypass rules if you wish to allow the app to be used on your network.


How did we do?