[lxgr]

While you're at it, make sure to have them prohibit any encryption on top of HTTPS, or apps might just be hiding things in application-level encryption schemes!

Banning certificate pinning... Do we really need mandated insecurity by prohibiting apps from doing better than trusting all Apple-trusted CAs around the world?

[saagarjha]

They already do that to some extent, actually. Not as you mention, but because of US export compliance laws.

[lxgr]

Countless encrypted messenger apps, GPG implementations etc. beg to differ.

[saagarjha]

Beg

[londons_explore]

A better rule might be "You must use our HTTPSClient class, and it either uses the system+user trust stores, or optionally it uses an application supplied certificate authority+the user trust store".