How to Bypass Decryption to Access the iTunes and App Store from iOS Devices

Printer Friendly Page

Issue

When the Palo Alto Networks device is configured to decrypt outbound traffic, iOS devices are unable to connect to the iTunes and App Store directly from their applications, even if the certificate used for decryption has been imported into the device and works for regular browsing.

 

The error returned on the iPhone or iPad is "Cannot connect to the iTunes Store."

 

Cause

The App Store and iTunes application expect the server certificate to be signed by Apple and close the connection if signed by a different CA.

 

Resolution

  1. Configure a custom URL Category that contains all known FQDNs related to the iTunes and App Store (wildcards can be used).

    Custom_URL_Category.JPG
    Note: For iOS 8 and later, also add "*.mzstatic.com" to the above list.

     

  2. Add a Decryption policy to bypass decryption based on the customer URL category just created.

    Custom_URL_Category_No_Decrypt.JPG

Note: While "itunes.apple.com" and "*.itunes.apple.com" should be enough to catch all iTunes and App Store related sites others have been reported.  The list might be incomplete and/or change over time.

 

owner: sberti

Comments

Could we use the certificate as decryption exception?

If so how we could we capture the certificate to determine if it is unique as part of the app design or just a general certificate.

Could we also use a dynamic object to better define the traffic?

I would be very interested to find a better way to correlate the decryption with the App-ID since the same methods could be used to exempt traffic from decryption for various other devices alike, Google TV, TV with embedded apps (Netflix, Hulu, Amazon, etc), some XBox and PS3 apps, there is an entire gamut of new devices that will not permit their traffic to be decrypted.

Helped me :smileyhappy:

I would also say that the ability to define these rules based on application id would be nice.

It would make it easy to unblock some of these unusual ones.

Also would mean that it's no problem when servers change.

Thanks for this, working!

Anyone have any updates to this list?  I'm trying to do an Updates check from the App Store on High Sierra 10.13.2 and getting the following error message:  

An error has occurred

The operation couldn't be completed.

(NSURLErrorDomain error -1012.)

Would this be absolete in PANOS 8.0 with SSL decryption exclusions?

 

Screen Shot 2018-01-05 at 6.10.28 PM.png

Hi @CesarPoopMurillas

 

that is correct