Many mobile applications enforce certificate pinning in order to make a man-in-the-middle attack difficult to accomplish. However, with a jailbroken/rooted device, it's possible to disable the certificate pinning on the client. For example, by using SSL Kill Switch on iOS.
A previous question asked how to "prevent bypassing certificate pinning." I understand how prevention is effectively impossible, since as long as the client has root on the client device, any prevention is limited to "security by obscurity" and reduced to playing a cat-and-mouse game.
However, I'm interested in whether it is possible to detect, from the server side, when a client has disabled certificate pinning.
1) Is it possible, using only low level SSL functionality, to detect when certificate pinning has been disabled by the client?
2) If not possible with low level SSL functionality, then is there some information the server could require from the client in order to prove that certificate pinning remains enabled?
No, it is not possible to determine the state of SSL pinning at the client. SSL pinning is part of the certificate validation done solely inside the client and the only feedback the server gets is if the validation succeeded (connection continues) or not (connection closed, maybe TLS alert).
Also there is nothing fully reliable the server could to to "ask" the client about the state of pinning because you cannot expect a true response from an application which runs on a device fully controlled by the "attacker".
But one can make it harder to disable pinning undetected. If you are building an application and want to detect if pinning is disabled you might make connections to two different hosts. For one of the hosts you expect a valid and pinned certificate and for the other a valid but not pinned certificate. If both connection succeed you can conclude that somebody tampered with the pinning. Of course if the "attacker" knows this behavior of the application he can work around your detection but without the knowledge it gets harder. And more complex (and maybe even dynamic) schemes like this should be possible to make it even harder.
But the question remains what you get from knowing if pinning is disabled or not. If you make sure that pinning is not possible you might deter man in the middle sniffing. This still leaves the option to sniff the data inside the application, i.e. before they get encrypted and after they got decrypted. This means analyzing and even modifying the data is still possible by an attacker in control of the device.
External links referenced by this document: