UWP ServicePointManager.ServerCertificateValidationCallback

Question

I have a Xamarin.Forms app that implements certificate pinning utilizing the ServicePointManager.ServerCertificateValidationCallback class and method. On Android and iOS, this works without issue in that it will allow connections to expected services whose certificate keys have been pinned and disallow connections for those that I have not.

However, on UWP, all connections are allowed regardless whether the certificate key has been pinned or not. I have explicitly returned false from the certificate validation method and the connection is still allowed. I am sure the check is being performed as I have debugged and stepped through the certificate validation method.

What could be causing the connection to proceed even though I am returning false from the validation check?

ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertficate;
private static bool ValidateServerCertficate(
   object sender,
   X509Certificate certificate,
   X509Chain chain,
   SslPolicyErrors sslPolicyErrors
)
{
   return false;
}

Answer 1

I was able to fix this by:

1. In the UWP project, double click the Package.appxmanifest file
2. Under the Declarations menu, select Certificates from the Available Declarations drop down
3. Click the Add button
4. Select the Exclusive Trust option

This puts the following xml into Package.appxmanifest file:

<Extensions>
   <Extension Category="windows.certificates">
     <Certificates>
       <TrustFlags ExclusiveTrust="true" />
     </Certificates>
   </Extension>
</Extensions>