Why can I only view HTTPS traffic from some iOS apps with ZAP?

Question

I've noticed a curious oddity with some traffic sniffing from my apps on my iPhone. I've installed the ZAP Proxy CA certificate on the device, but I've noticed I can sniff some app traffic, and others I can't. This was apparent six months ago, but I've observed now even more of my suite failing to connect via the proxy, so my presumption is a trusted certificate is no longer trusted.

I'm aware there was an issue with iOS whereby a library permitted untrusted certificates to be used, but surely if I've installed a root CA, explicitly told the device its trusted, then I should be able to view all HTTPS traffic from the device?

Failing this, is it still possible to sniff HTTPS from the device via a proxy?

Answer 1

Yes, it is generally still possible, but techniques like Certificate Pinning and others make it more and more difficult to do a Man-in-the-Middle Attack.

I've also observed quite a lot of apps (on Android though) and found that especially messaging and communication apps (Facebook, Snapchat, ...) try to make sniffing network traffic as hard as possible.

---

Upadate:

You could try to disable Certificate Pinning on your device / browser. This is easy for desktop systems (@Psiinon linked to a guide How-to disable certificate pinning in Firefox - thanks for pointing this out).

For disabling certificate pinning on smartphones, you need to root / jailbreak the device. A tool for iOS might be SSL Kill Switch 2, and for Android one could use JustTrustMe (root and xposed required).

I have tried neither of the tools listed above. Both tools are listed in this presentation by Anant Shrivastava. See slides 15 and 20.

Last note: Disabling a security feature like certificate pinning is a security threat and is only recommended for testing.