iOS client does not verify server certificate (idea: re-introduce certificate validation)

By default (in the absence of a CA-signed server certificate), RDP connections between Windows PCs rely on a trust-on-first-use (TOFU) model, where the client software displays a warning [1] before sending credentials to an untrusted server whose certificate hash is not pinned to the registry [2].

The Remote Desktop client for iOS used to work like the Windows client in this respect [3], but at some point in the last few years, it stopped checking server certificates altogether. This is a security risk, because Windows credentials could be intercepted by a man-in-the-middle.

Is this behaviour actually intended? If it is, I would strongly suggest adding a setting to manually re-enable certificate validation for environments with higher security requirements.

(In my testing, neither reinstalling the app nor using a FQDN to connect had any effect.)

[1] https://i.sstatic.net/pu5YX.png

[2] HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\...\CertHash

[3] https://nextpointhost.com/images/knowledgebase/how_to_access_forex_vps_via_rdc_using_iphone_or_ipad_6.PNG