Is there a way to get the built-in list of anchor certificates from the OS?

What platform?

And just curious, who are you trying to protect against: a bad actor who quietly compromises a victim’s device to install their own root cert? Or a tech-savvy device owner who wants to use something like mitmproxy to inspect your app’s traffic? If the latter, then why?

iOS and macOS. Trying to block real attacks/snooping, not the device owner inspecting traffic.

If nobody has an answer about an API for this, you can at least get the certs during development from here: Available trusted root certificates for Apple operating systems. Then you could bake their fingerprints into your app. Unfortunately those pages don’t provide an easily digestible format such as CSV.

I am looking for a way to get the immutable list of anchor certificates from the OS.

There is no API to enumerate the built-in iOS trust store.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Would there be a way to tell whether an instance of SecCertificateRef is trusted as part of the immutable store vs. the system/user keychain?

Would there be a way to tell whether an instance of SecCertificateRef is trusted as part of the immutable store vs. the system/user keychain?

No.

You should feel free to file an enhancement request describing your requirements. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

And maybe include the suggestion that the data behind Available trusted root certificates for Apple operating systems be made available in machine-readable form, if my suggestion about that proves useful.

@eskimo here it is: FB12059413