How to disable SSL pinning in MAUI application?

Question

I want to disable the SSL pinning in UAT mode and I tried like below:
On ClientSingleton.cs I have added a method ConfigureHttpClientForEnvironment():

public void ConfigureHttpClientForEnvironment()
{
    var handler = new HttpClientHandler();

    if (!string.IsNullOrWhiteSpace(BaseUrl))
    {
        var uri = new Uri(BaseUrl);

        //If You Want UAT + QA Disabled
        //if (uri.Host.Contains("-uat") || uri.Host.Contains("-qa"))

        // Disable SSL validation only for UAT
        if (uri.Host.Contains("-uat"))
        {
            handler.ServerCertificateCustomValidationCallback =
                HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
        }
    }

    HttpMessageHandler = handler;
}

On MainService.cs updated the CreateInstance() like below:

public static MainService CreateInstance(string apiRoot, string mobileApplicationKey)
{
    EnvironmentConfig.ApiRoot = apiRoot;
    EnvironmentConfig.MobileApplicationKey = mobileApplicationKey;

    ClientSingleton.Instance.BaseUrl = EnvironmentConfig.ApiRoot;
    
    //SL pinning disable code
    ClientSingleton.Instance.ConfigureHttpClientForEnvironment();

    Instance = new MainService();
    return Instance;
}

Finally I test it like below:

I have added a TestCode() function on the LoginPage constructor like below:

public EmailPMAPage()
{
    InitializeComponent();
    TestCode();
}

private async void TestCode()
{
    try
    {
        var result = await ClientSingleton.Instance.HttpClient.GetStringAsync(ClientSingleton.Instance.BaseUrl);
        Console.WriteLine("SSL bypass successful, response length: " + result.Length);
    }
    catch (Exception ex)
    {
        Console.WriteLine("SSL still validated: " + ex);
    }
}

While running i get below output:

[DOTNET] SSL bypass successful, response length: 4684

Is this the correct approach to disable the SSL pinning?

Answer 1

Hi @Sreenivasan, Sreejith ,

Thanks for reaching out.

Yes, but check this line:

handler.ServerCertificateCustomValidationCallback =
    HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;

This line will accept anything, it won't care about the certificate. It means this will disable all SSL validation, not just disable pinning. This's why your approach to disable the SSL pinning is correct but extremely dangerous.

I recommend a safer approach below:

#if DEBUG
handler.ServerCertificateCustomValidationCallback =
    HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
#endif

This ensures that it's impossible to ship to production accidentally and is safer development workflow.

If your goal is to bypass validation only in UAT while preserving proper validation in production, you may use:

handler.ServerCertificateCustomValidationCallback =
    (message, cert, chain, errors) =>
    {
        if (isUat)
            return true;

        return errors == SslPolicyErrors.None;
    };

This way: UAT bypasses validation and production still validates properly.

Hope this helps! If my answer was helpful - kindly follow the instructions here so others with the same problem can benefit as well. Thanks for your time.

Answer 2

The approach of assigning a custom HttpClientHandler with ServerCertificateCustomValidationCallback is the standard way in .NET (and .NET MAUI) to bypass certificate validation for HTTP calls, and the test output confirms that SSL validation is being bypassed for that HttpClient instance.

However, there are two important points:

1. This disables certificate validation, not “SSL pinning” logic inside the app.
   • Certificate pinning means the app explicitly restricts which certificates or public keys are accepted, beyond normal OS trust. In MAUI/.NET, that would typically be implemented via a custom validation callback that checks thumbprints/keys, or via platform-specific pinning.
   • What the code does is bypass all certificate validation for the configured host (in UAT), which effectively disables both normal TLS validation and any pinning that was implemented via HttpClient certificate checks.
2. Use this only in development/UAT and guard it with build configuration.
   • The MAUI guidance for local HTTPS services uses the same pattern, but explicitly wraps it in #if DEBUG so it can’t leak into production builds:

          var handler = new HttpClientHandler();
          
          #if DEBUG
          handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
          {
              if (cert != null && cert.Issuer.Equals("CN=localhost"))
                  return true;
              return errors == System.Net.Security.SslPolicyErrors.None;
          };
          #endif
          
          var client = new HttpClient(handler);
     

   • In a similar way, the UAT-only bypass should be protected by configuration (build symbol, environment flag) so it can’t be accidentally enabled in production.

From a purely technical standpoint, the pattern of:

1. Creating an HttpClientHandler.
2. Setting ServerCertificateCustomValidationCallback (or DangerousAcceptAnyServerCertificateValidator) based on environment/host.
3. Using that handler in the HttpClient used by the app.

is the correct mechanism in MAUI to bypass certificate validation for UAT.

For production, if certificate pinning is required, the recommended pattern is the inverse: implement a custom validation callback that checks the expected certificate chain or thumbprint instead of disabling validation.

---

References:

• Connect to local web services from Android emulators and iOS simulators
• Local web services running over HTTPS
• Best practices for Azure App Service
• Intro to secure Windows app development
• Frequently asked questions for Transport Layer Security inspection