It's not something I'd expect your average user to be able to do, but it is possible and is regularly done for various reverse engineering purposes. The approach I've seen involve changing what certificate is pinned to one that is locally controlled.
That being said I don't think it's nearly as common for certificate pinning to be present as people think- in fact it was deprecated in 2017 because it caused so many problems. Instead things like HSTS and transparency logs are used to prevent damage from malicious issuance of certificates, and organizations can typically override things with their own CA.
If your software is pinned to a specific certificate (even if that certificate is a root CA) your software won't work in many corporate environments. One of the exact reasons mentioned- medical data- is a big driver in this. My company has APIs used by medical companies, and they have to whitelist our service in their firewalls because many of them MITM all traffic to ensure that PHI isn't sent out over an unapproved service by mistake.
> in fact it was deprecated in 2017 because it caused so many problems. Instead things like HSTS and transparency logs are used to prevent damage from malicious issuance of certificates, and organizations can typically override things with their own CA.
Still kinda salty that pinning was deprecated from HTTPS. It wasn't perfect (accidental/malicious pinning was far too easy seeing how it was merely controlled by an HTTP header), but the current alternatives (Certificate Transparency, CAA DNS records) aren't an adequate replacement. Sure Certificate Transparency helps to detect a misused certificate, but it doesn't actively prevent it from being used, and CAA requires that the CA isn't "lying" about the header through a "bug" or otherwise.
It is kind of "hilarious" that enterprises are defeating the ability of a client to prevent a MiTM eavesdropper on the net, for the sake of ensuring privacy of transmitted data.
That being said I don't think it's nearly as common for certificate pinning to be present as people think- in fact it was deprecated in 2017 because it caused so many problems. Instead things like HSTS and transparency logs are used to prevent damage from malicious issuance of certificates, and organizations can typically override things with their own CA.
If your software is pinned to a specific certificate (even if that certificate is a root CA) your software won't work in many corporate environments. One of the exact reasons mentioned- medical data- is a big driver in this. My company has APIs used by medical companies, and they have to whitelist our service in their firewalls because many of them MITM all traffic to ensure that PHI isn't sent out over an unapproved service by mistake.