Interception of iOS and Android apps (SSL Pinning)
The USS Gateway virtual machine is often used to intercept and control traffic (HTTP/S) on mobile devices, such as in a BYOD environment. This requires the SSL Intercept feature to be enabled and the gateway certificate to be installed on all of the devices. Installation of the certificate is made easier via the Captive Portal, an optional step to authenticate the user and provide access to the certificate download link. Once the certificate is installed and web traffic is passing through the USS Gateway, visibility of any traffic that matches apps or actions from the App Catalog is available in the Cloud Activity - Inline report. All HTTP/S traffic will be visible from the Web Activity - Hits or Web Activity - Visits reports.
Some app vendors are now shipping their apps with a built-in certificate (this technique is called SSL Pinning) which must be visible to the web service the app uses for communication in order for the app to function correctly. Due to this extra layer of verification, it means that SSL/TLS interception techniques can no longer be applied. This means that visibility of activity within the app is restricted and the only control options are to block the app completely or allow the app completely (by Bypassing the domains that the app uses from SSL Interception).
Apps known to use the SSL pinning technique
- iOS App Store