Decrypting and Inspecting Mobile Apps

Article #:

Product

Castle

KB-179

Guardian filtering

All

Summary

This article discusses what steps need to be taken in order to get some of the most popular Mobile Apps working through your Smoothwall, without affecting filtering of the desktop based version of the App.

Problem

More and more applications are beginning to use certificate pinning, which causes mobile applications to not work correctly if a decrypt and inspect policy is in place. This article provides steps which will allow popular mobile applications to continue working with a decrypt and inspect policy by adding specific sub-domains (were possible) to a ‘Do not inspect’ policy.

Solution

Within this solution we will discuss what subdomains need to be inserted into a ‘Do not Inspect ‘policy in your HTTPS inspection policies table.

The applications that will be discussed below are as follows, all of these apps use certificate pinning:
Facebook, Instagram, Twitter, Facebook Messenger, Pinterest and YouTube

 

Application

Subdomains

Notes

Facebook

graph.facebook.com
portal.fb.com
xx.fbcdn.com
b-api.facebook.com
b-graph.facebook.com
api.facebook.com
xx.fbcdn.net

You should still be able to content filter Facebook through the browser on Desktop, iOS and Android. You will be able to access the App however you won’t be able to do any filtering in the App.

Instagram

scontent.cdninstagram.com

graph.instagram.com

i.instagram.com

You should still be able to content filter Instagram through the browser on Desktop, iOS and Android. You will be able to access the App however you won’t be able to do any filtering in the App.

Twitter

api.twitter.com

You will NOT be able to content filter Twitter through the browser. You will be able to access the App however you won’t be able to do any filtering in the App. This solution is not ideal as you will not be able to filter Twitter and it is our recommendation that you should only implement this solution if it is necessary.

Messenger

m.me

edge-mqtt.facebook.com

You will NOT be able to content filter Messenger through the browser on Android devices, you will still be able to content filter it through the browser on iOS and Desktop. You will be able to access the App however you won’t be able to do any filtering in the App.

Pinterest

api.pinterest.com

trk.pinterest.com

You should still be able to content filter Pinterest through the web on all devices. You will be able to access the App however you won’t be able to do any filtering in the App.

YouTube

yt3.ggpht.com

youtubei.googleapis.com

i.ytimg.com

googlevideo.com

You should still be able to content filter YouTube through the browser on all devices. You will be able to access the App however you won’t be able to do any filtering in the App.

 

Setting up the Policies

First we need to create a custom category:

1. Go to Guardian > Policy Objects > Categories.
2. Enter a name (for example, Facebook App)
3. Enter the relevant Subdomains listed above under Domain/URL Filtering:
4. Click Save.

 

Next we need to setup a ‘Do not Inspect policy’ for those subdomains

1. Go to Guardian > HTTPS inspection > Policy wizard.

Who — Everyone*

What — Facebook App

Where — Everywhere*

When — Always*

Action — Do not inspect

*Change these values based on your own needs.

2. Make sure the Enabled policy option is selected.
3. Click Confirm and then Save.

 

Attribution:

Last updated:

Author:

Contributions by:

03 August 2017

Jonathon McKeague

 

 

 


Copyright © 2000-2018 Smoothwall All rights reserved.