Hacker News new | ask | show | jobs
by ultramancool 3966 days ago
Not really, heck, on Android and iOS around 40% of banking apps don't even check the certificate at all.

Most people, even most developers seem to be pretty clueless with this stuff.
2 comments
jacobwil 3966 days ago
The paper won't be available to everyone until Wednesday at [1], but:

> Altogether, of the 639,283 [Android] apps in our data-set, 45 implement pinning.

[1]: https://www.usenix.org/conference/usenixsecurity15/technical...

link
yrro 3966 days ago
> on Android and iOS around 40% of banking apps don't even check the certificate at all.

Please name and shame, this sounds pretty surprising!

link
sprkyco 3966 days ago
List of Android SSL MITM vulnerable apps: https://samsclass.info/128/proj/popular-ssl.htm

Highly recommend any material on the main site as well. One of the few legit infosec professors I have ever interacted with.

link
unluckier 3966 days ago
At least for Android: https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w...

There are several banking-related apps listed here.

link
ultramancool 3966 days ago
Heard that on an old security now episode, https://www.grc.com/sn/sn-443-notes.pdf is the best I have unfortunately, there's mention of it near the bottom there.
link