Interception of iOS and Android apps (SSL Pinning)

The USS Gateway virtual machine is often used to intercept and control traffic (HTTP/S) on mobile devices, such as in a BYOD environment. This requires the SSL Intercept feature to be enabled and the gateway certificate to be installed on all of the devices. Installation of the certificate is made easier via the Captive Portal, an optional step to authenticate the user and provide access to the certificate download link. Once the certificate is installed and web traffic is passing through the USS Gateway, visibility of any traffic that matches apps or actions from the App Catalog is available in the Cloud Activity - Inline report. All HTTP/S traffic will be visible from the Web Activity - Hits or Web Activity - Visits reports.

This article applies to some apps running on iOS and Android operating systems

SSL Pinning

Some app vendors are now shipping their apps with a built-in certificate (this technique is called SSL Pinning) which must be visible to the web service the app uses for communication in order for the app to function correctly. Due to this extra layer of verification, it means that SSL/TLS interception techniques can no longer be applied. This means that visibility of activity within the app is restricted and the only control options are to block the app completely or allow the app completely (by Bypassing the domains that the app uses from SSL Interception).

Apps known to use the SSL pinning technique

  • WhatsApp
  • Twitter
  • Instagram
  • Facebook
  • Zoom
  • iOS App Store
It is best practice to consider whether these apps are suitable for an Enterprise or Education environment given the lack of visibility that is possible.
Instead of bypassing, you can encourage users to use the web browser on their mobile device or desktop computer to access the web version of the app.
View a list of domains that require bypass rules if you wish to allow the app to be used on your network.

How did we do?