[coin]

Isn't it possible for apps for ignore the OS's proxy settings and make a direct TCP connection? In that case the proxy man-in-the-middle trick won't work.

[sjtgraham]

Yes. Socket programming. A number of banking apps in the UK use the connect(2) etc, although I can't say if this is the reason. It's most likely to make it a touch more difficult to reverse than hooking NSURLConnection etc.

[pki]

At least on Android you can generate a fake VPN-esque connection locally that passes everything through a proxy, so the proxy isn't exposed to the application

[MichaelGG]

Sure but then the verification will fail since you won't be able to sign the handshake with the "pin'd" cert. (Assuming they implement TLS or other crypto in their own code.) If you aren't modifying the execution environment then it's possible for an app to be "safe".

[fdsaaf]

An clever-enough emulator can just lie to an application and say, "You're running on a stock device. Everything is fine".

[pki]

Clever-enough is the key word, with Safetynet involved, which dynamically executes signed classes and you don't know what checks will be done

[BoringCode]

In that case I would look into ARP poisoning.