But with a big privacy risk if anyone ever gets their hands on the root CA (which I hope is generated fresh in every install).
Also, Android blocks user-installed CAs by default now, apps have to opt in to accept user-added ones. That makes it pretty useless. Not sure how iOS deals with this.
Blocking ads on mobile has been a non-supportes use-case for a while.
If you really want to get rid of ads on android, rooting enables you to patch system SSL routines to disable certificate pinning and more. IOS is an apple product.
MITM for HTTPS means you'll need to set up each machine with an additional cert. And for this project, you need to configure each machine to funnel through the proxy anyways.
Personally, I use NextDNS which allows you to block categories, IPs, and use blocklists.
It's set up on the network level, and I have two separate NextDNS "networks" configured. One for the entire network, one for "privileged" users/devices.
It does not mean that there is not a single bug, but I do not think it is fair to completely discount this approach. Especially when the alternative is browser extensions which bring their fair share of trouble regarding trust, performance, limited capabilities or even security.
I discount this approach. It is necessary but not sufficient to pass on simple browser SSL tests. There are other complexities that are best left to the browser to negotiate the session.
The connection parameters including encryption parameters and certificate from the origin.
There are a lot of weird rules in WebPKI you may miss, this is beyond a general purpose TLS library.
Enforcing Certificate Transparency rules or CAA records, is the proxy doing this?