Option to disable non-standard root certificates for HTTPS connections

Originator:andrian
Number:rdar://33005187 Date Originated:June 27, 2017
Status: Resolved:
Product:iOS + SDK Product Version:
Classification: Reproducible:
 
Area:
CFNetwork Framework

Summary:
Some security enthusiasts are using special proxy servers (Charles Proxy, MITM Proxy) to inspect application traffic. 

To inspect HTTPS traffic these proxy servers require user to install custom TLS root certificate on their device. 

Some other security enthusiasts consider the fact that user could install custom TLS root certificate and inspect the traffic to be security vulnerability itself, which should be mitigated by implementing 'Certificate Pinning' in the app. 

Actually there is a risk that 'Certificate Pinning' is going to be implemented incorrectly or that there is a bug in existing popular libraries that do this ( see https://github.com/datatheorem/TrustKit/issues ) 


That's why I propose to add keys like UseSystemRootsOnly and ExceptionUseSystemRootsOnly ( I just made up these key names  ) to App Transport Security dictionaries on macOS and iOS. 

The idea is that when these keys are set to true — all HTTPS connections should ignore any root certificates installed by user and use only system root certificates chosen by Apple (which are very secure and constantly checked). This will allow app developers to avoid writing code for custom TLS verification.

This option is useful for software that is accessing cloud-based backends available only on the Internet. 

Obviously a proper support for NSExceptionDomains should be implemented for this option ( ExceptionUseSystemRootsOnly ). Some apps may connect to a different domains both in the cloud and in the local network.

Steps to Reproduce:
- Create app that use HTTPS backend
- Download Charles Proxy app 
- Install its root certificate 
- View traffic 
- Try to avoid this

Expected Results:
- Add a key to Info.plist 
- Tada! It is impossible to view encrypted TLS traffic, connections wont start even when you installed custom root certificate

Observed Results:
- You need to write code that does certificate pinning or use some library 
- Hard to confirm that your code is correct or dependency does not have bugs

Version:
any iOS / macOS version

Notes:


Configuration:

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!