Mobile apps can do this with certificate pinning. Web apps used to be able to do this with HTTP Public Key Pinning (HPKP) [1], but it was deprecated because it was too much of a footgun. Instead you can monitor for certificates for your domain that aren't expected via Certificate Transparency logs.
> Modern iOS/Android have something called SSL Pinning.
Yep, the mobile OSes have that option, but it’s not very commonly used. I fairly regularly snoop traffic on apps and it’s not super often that I’m blocked temporarily by cert pinning.
> Mobile apps typically have other key pinning mechanisms that are preloaded (i.e. baked into the binary), but that's typically easy to bypass if you're the owner of a device; it's not really effective as a mechanism against reverse engineering.
Your comment makes me realize that HPKP can bootstrap itself, and is unlike regular pinning (with certificate bundled in the binary, as you say).
So do you agree that a powerful enough owner of the device should be considered able to setup a server which poses as the regular server the app talks to, and sniff any request the app sends to its server?
> All traffic is encrypted these days. So you cannot check it.
Of course you can, just configure your phone to use a MITM proxy (e.g. burp). This won’t work for apps that use certificate pinning but most apps don’t.
Of course, you still don’t know what data they really store and/or sell.
This works as long as the app does not enforce certificate pinning. But if it does, there's no way to override it and inspect what's actually going on, as I can on my desktop.
Just be ready for mitm proxying on some mobile apps to be a bust if they use certificate pinning. I’m not aware of anything that can get you past that besides patching the app itself.
> I believe ssl pinning is circumvented on iOS by leveraging the objective-c runtime to hook the callbacks that an app would use to inspect the remote peer certificate.
I believe this only works if apps are using their own custom stack to perform this validation. If they are using the iOS TLS implementation, you will need a jailbroken device to fix this.
> you need an edge device that deeply inspects each packet.
As cert pinning becomes more common, we are rapidly losing the ability to do this. The only work around I know of for iOS/Android is to jailbreak/root your device and get a debugger attached to apps. I haven't seen a workaround for getting around cert pinned Metro apps.
Android apps could also do certificate pinning with the same effect though? In this case there isn't any difference between Android and iOS in functionality.
> Not if the app uses certificate pinning, ships its own version of a SSL library and uses code-signing and obfuscation to prevent you messing around with it.
Are there desktop apps that behave this way? Atleast in my experience - I haven't come across anything like this on Linux.
Mobile apps can do this with certificate pinning. Web apps used to be able to do this with HTTP Public Key Pinning (HPKP) [1], but it was deprecated because it was too much of a footgun. Instead you can monitor for certificates for your domain that aren't expected via Certificate Transparency logs.
[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key...
reply