We are building an iOS SDK using certificate transparency to verify SSL connections. This is was initially implemented using ATS in the info.plist but we came across an issue:
Users could install a profile and fully trust a root certificate that will allow them to override these checks. Burpsuite does this out of the box as well.
The workaround we found was to use URLSessionDelegate and after evaluation, check the result of SecTrustCopyResult(_: SecTrust) for the key kSecTrustCertificateTransparency, making sure the value was true.
The issue here is that this key is only present from iOS 13 onwards. How should we implement this for earlier versions of iOS? (we are currently supporting iOS 11.0 and up)
reference : https://developer.apple.com/forums/thread/688302
Performing certificate transparency checks using the local CT logs on the device for iOS 11.4 (r.74226999 and r. 30743827) are now out of date, and so when performing extra validations using the ATS key for NSRequiresCertificateTransparency on iOS 11 these validations are not guaranteed to work anymore.
Regarding:
The issue here is that this key is only present from iOS 13 onwards.
kSecTrustCertificateTransparency and NSRequiresCertificateTransparency are available in iOS 9+.
I would still recommend that you look at the certificate chain in the SecTrust object from the URLSessionDelegate. This should be able to tell you what certificates are being used here, and if another party is using a certificate to perform a proxy action, you should be able to see this here.