[AnonHP]

> but almost all apps nowadays use certificate pinning which means the system certificate store is ignored

Certificate pinning (or rather, public key pinning) is technically obsolete and browsers themselves removed support for it in 2018. [1] Are there many apps still really using this?

[1]: https://en.m.wikipedia.org/wiki/HTTP_Public_Key_Pinning

[jeroenhd]

HPKP, yes. Certificate pinning in apps is the norm.

The difference between HPKP and certificate pinning is that HPKP can pin certificates on the fly, whereas certificate pinning in apps is done by configuring the HTTPS client in the native application.

Apps like Facebook won't work on TLS MitM setups without using tools like Frida to kill he validation logic.

[klausa]

Mobile apps still frequently do, yes.

It's gotten less popular over the years as people keep asking "wait, what are we doing this for again?"; but it's still very popular in certain kinds of apps (anything banking related will almost certainly have it, along with easily broken and bypassed jailbreak detections, etc).

[oarsinsync]

Most personal banking apps I’ve used still do this. The bank is liable for your lost funds if your corporate IT department doesn’t secure the MITM solution properly otherwise.

(The end customer isn’t liable for the bank’s inability to properly secure their app from MITM attacks…)

[solarexplorer]

I don't have any numbers, but I think this is still pretty common. On iOS for example Alamofire which is a popular network stack, still offers this as a feature. I think the use case is a bit different for apps and web sites, especially for closed ecosystems like Apple's where reverse engineering is not as easy/straightforward.

https://github.com/Alamofire/Alamofire