SSL Decryption with iOS 13 Devices

davisjj · ‎06-10-2019

We began testing of the iOS 13 beta last week on several test devices that are connected to our internal mobile device network. This network passes traffic through the Palo with SSL decryption. We are finding that iOS 13, even with our cert installed on the device via MDM, does NOT accept the decrypt cert. We are still testing, but so far we have found several applications that will not work (some give errors, some just don't do anything), Safari will not open HTTPS sites, and our MDM environment cannot send commands to the devices. In all cases, once we take the device off of the internal WiFi, eliminating SSL decrypt, everything works.

I have not yet been able to find any documentation from Apple indicating that they are enforcing certificate pinning across the OS, but it sure seems like they might be. Has anyone else encountered this yet?

Thanks

BPry · ‎06-12-2019

@davisjj,

Just curious why you would starting testing on the initial beta while things are known to be broken and not wait until at least the public preview? This release is so Devs can actually start working with the new APIs, for what you are doing the Public Preview that's due out next month is far more appropriate for your testing.

If you look at the release notes the MDM queries not returning properly is a known issue and is currently broken within the developer preview. If Apple is enforcing Cert Pinning throughout the OS it certaintly hasn't been documented anywhere and wasn't mentioned at WWDC.

davisjj · ‎06-13-2019

Thanks for the reply. I am well aware of the perils of beta 1. That's why I have multiple devices. My company does do internal iOS development, although that's a relatively recent addition.

That said, I think that IT professionals who support iOS in their environment should begin testing iOS releases as soon as they are available. It seems that Apple is starting to take this approach as well, seeing as how they are going to allow customers who are enrolled in Apple Business Manager to begin downloading the betas at the same time as developer program members. In this case, getting an early jump on things has allowed me to open up the conversation internally. We are asking, "what if" in regards to decrypt. We have also said we won't make any changes until later in the beta cycle to see if it is still an issue.

I don't have any problem living with a semi-working device for a few months. I've been doing that annually for years. My question was regarding whether or not I missed something in the WWDC presentations/docs. It sounds like I didn't, so we will take a wait and see approach. Frankly, I'd like to see them push the issue with cert pinning. I don't think it is necessary to decrypt mobile device traffic. All that leads to is users turning off their WiFi when things don't work.

RocRaider · ‎10-18-2019

Did you ever find a resolution to this. We are running in to the same thing on our devices that are running iOS 13.

lucianocf · ‎10-21-2019

I'm with the same problem. There is any solution?

SSL Decryption with iOS 13 Devices

SSL Decryption with iOS 13 Devices

Show your appreciation!