Popular apps do cert pinning today. Back in 2016 (when the claims date back to), maybe Snapchat didn't.
You can read the full complaint here. It is full of juicy details, including Mark Zuckerberg directly suggesting 'figuring out a way' to access Snapchat's encrypted traffic, and how Meta installed a root certificate onto user devices to snoop.
That is what I refer to as pinned-certificate. Not often used except from some of the biggest companies like Facebook and Snapchat. See my answer on how to go around this.
Hm, I'm surprised more people aren't angry at the lack of adoption of cert pinning in mobile apps. It seems like no one cares to prepare for attacks like this, despite widespread knowledge that they occur?
Didn’t some certificate authorities get caught issueing wildcard certificates for anything to government? I remember Google noticing that because the did manual certificate pinning in their apps.
Certificate pinning is one of the most user-hostile security inventions we've created. It makes it so hard to get access to the traffic coming out of your own device, which heavens, seems like such an elementary ask.
I don't think you understand how certificate pinning works then. Many apps right now allow local trust stores, but with this announcement I bet that'll change.
I don't know which users integrity checking the executable would be hostile against. But, I see your point that perhaps their reason for cert pinning is to defend against compromised CAs. It does fit the narrative better with their lack of obfuscation and other layers of defense on their app.
The number of times I've heard people in the tech community mention certificate pinning as a valuable security mechanism is like the amount of times I've heard about zombies, despite the fact that they just don't exist.
I've worked on a team that reverse engineered and did security audits on a lot of commercial and consumer applications. We've seen cert pinning implemented correctly was maybe like once or twice a year by companies large enough to where their security team was larger than most software companies entire payroll.
Basically, it's not a thing that exist because it is really hard to implement properly. The threat model for being MITM'ed with cert spoofing is pretty exotic. In the end, cert pinning means your application is not working if something goes wrong with the certs, which EVERYONE at some point forgets to renew, or, worse, you CA inadvertently gets hosed.
Certificate pinning is inherently security by obscurity; it's intended as an annoyance for anyone trying to reverse-engineer the service, rather than an insurmountable barrier.
Some clients use certificate pinning of known popular XMPP hosts. For example, ChatSecure (née GibberBot) on Android appears to use Moxie's certificate pinning for cert chains of a few well-known Jabber servers (like Google and Facebook's), so you will get a warning if they ever start presenting you with new certificates from a different CA.
The implementation leaves a little to be desired; the way it's implemented, any of the CAs for any of the pinned organizations could issue certs that could MITM you, but that's still a lot less than the usual default list of CAs in the system trust store.
I'm shocked to think this is a minority opinion. Please give us certificate pinning because this type of interception is completely hostile to the end user.
You can read the full complaint here. It is full of juicy details, including Mark Zuckerberg directly suggesting 'figuring out a way' to access Snapchat's encrypted traffic, and how Meta installed a root certificate onto user devices to snoop.
https://storage.courtlistener.com/recap/gov.uscourts.cand.36...
Direct quote from Meta employee based on the complaint: "we install a root CA on the device and MITM all SSL traffic"
reply