Certificate-pinned apps and SSL/TLS bypass domains

This topic lists known certificate-pinned mobile applications and the domains that must be bypassed to ensure correct application functionality when SSL/TLS inspection is enabled.

Certificate pinning is a security technique used by some mobile applications to validate that the TLS certificates presented by their backend servers match a set of certificates hardcoded in the application. This prevents man-in-the-middle (MITM) attacks, but it also means that SSL/TLS inspection by the Mobile Endpoint Agent cannot be performed on traffic from these applications.

When a certificate-pinned application detects a certificate mismatch, such as the Forcepoint CA certificate used for inspection. It terminates the connection, causing the application to fail.
Note: If your organization requires a certificate-pinned application to function correctly, bypass the corresponding domains from SSL/TLS inspection. Bypassing a domain means its traffic will not be inspected by the Mobile Endpoint Agent.

Certificate-pinned applications

The following table lists known certificate-pinned applications and their corresponding domains that must be bypassed to ensure correct application functionality.

Table 1.
Applications Domains
Apple iMessage
  • p24-keyvalueservice.icloud.com
Apple iTunes and App Store
  • .apps.apple.com
  • .itunes.apple.com
  • .mzstatic.com
  • gs-loc.apple.com
  • gsa.apple.com
  • securemetrics.apple.com
  • swscan.apple.com
  • xp.apple.com
  • .icloud.com
  • ppq.apple.com
  • akadns.net
Apple Mail App
  • .mail.me.com
Google Gemini
  • gemini.google.com
  • gemini.gstatic.com
  • *.clients6.google.com
  • *.googleusercontent.com
  • play.google.com
  • *-pa.googleapis.com
  • content-push.googleapis.com
  • analytics.google.com
  • *.google-analytics.com
Google - Shared Services, Drive, etc.
  • .clients.google.com
  • .googleapis.com
  • accounts.gstatic.com
  • accounts.google.com
  • accounts.youtube.com
  • client3.google.com
  • clients1.google.com
  • clients2.google.com
  • clients3.google.com
  • clients4.google.com
  • clients5.google.com
  • clients6.google.com
  • connectivitycheck.gstatic.com
  • cros-omahaproxy.appspot.com
  • omahaproxy.appspot.com
  • dl-SSL.google.com
  • dl.google.com
  • m.google.com
  • safebrowsing-cache.google.com
  • safebrowsing.google.com
  • SSL.gstatic.com
  • tools.google.com
  • pack.google.com
  • www.gstatic.com