[shawkinaw]

Wow, this guy has the completely opposite attitude of me. He seems to think it's a bad thing, an attack!, for users to see just what the hell data you're pulling off someone's phone. And, bizarrely, uses an example of an app that essentially stole data from its users.

I should be able to see what data an app is sending, and certificate pinning (and ATS according to another comment) kills that. That's not a good thing.

[userbinator]

It's not an uncommon attitude, and it's also one I detest --- many articles about "security" have some authoritarian/paternalistic aspects to them. Then again, encouraging ignorant users is the easiest way to monetise, analyse, and otherwise manipulate them... and if this ignorance is a convenient byproduct of arranging things so "it's for your security" ostensibly, all the better.

The obligatory related link: https://www.gnu.org/philosophy/right-to-read.en.html

[matchu]

Certificate pinning does prevent an important class of MitM attacks, though.

I think some applications use certificate pinning when validating a certificate provided by a default certificate authority, but, if you manually install a root certificate onto your device, the app will accept the override. That's one possible middle ground.

[kuschku]

Android Nougat disabled that — now it will not accept user-added CAs anymore, anywhere, ever.

[dkopi]

While the privacy concerns are more than valid, reverse engineering is common practice in trying to copy your product.

Reverse engineering isn't inherently good or bad, it's just a tool. That tool can be used for both good and bad.

I always recommend certificate pinning in order to prevent MITM attacks. I also recommend it if you're backend API gives out a lot of information about your product's "secret ingredient".

That said - certificate pinning can often be bypassed: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-...

[kuschku]

Reverse Engineering to copy is even considered a legal tool in the EU.

The argument of the European Court of Justice was that car manufacturers also buy cars from competitors, take them apart, and use the gained knowledge on their own products. The same happens in every industry — but in Software Engineering, it should now be forbidden? That's not possible.

If you want to protect yourself from that, publish your secret sauce and patent it.

[xuki]

I agree. Cert pinning is fine but there should be an option to disable it (maybe system-wide) for people who want to analyze traffic.

[pilif]

disabling system-wide is pretty much impossible. If OSes added such a toggle, people would start using their own SSL stack and overall security would suffer (because people won't be keeping their SSL stacks up to date)

[sjtgraham]

This is already a reality. There are at least 5 banking apps I can think of that statically link OpenSSL and use that instead of OS crypto.

[mkagenius]

That would pretty much beat the purpose, the author of the app doesn't anyone to snoop.

[cmdrfred]

Data generated on my phone belongs to me. By definition I cannot snoop on myself.

[joosters]

That's what you'd like to think, but the numerous terms & conditions that you've agreed to for your apps means that you're wrong, some data isn't yours.

[tokenizerrr]

No, it really doesnt. Terms of service are only legally binding within the law and the EU has already ruled that reverse Engineering software on your own device is just fine.

So I'll happily keep on ignoring those tldrs.

[__b__]

OK, then how do we separate the data that is his versus data that belongs to somene else? Maybe we would have to look at what is being sent from the app?

[joosters]

Who knows? The two things are unrelated. My comment wasn't anti-reverse engineering, just stating a fact: just because something is in your phone doesn't mean it's yours.

[xuki]

Except you can with a jailbroken phone. Never trust the client, ever.

[__b__]

"I should be able to see what data an app is sending..."

And you can. There are many ways. Something as simple as 2 socat instances and netsed works great as a quick and dirty but very robust solution. See also sslsplit which will generate certificates on the fly.

Anyone who is telling you that you can place complete trust in the use of x509 certificates on the open internet is either naive or dishonest.

I think you have the right attitude.

[tokenizerrr]

You should read up on how certificate pinning works. Obviously you can still decompile and recompile the app with different certificates baked in but it's a bit more difficult than what you're implying.

[__b__]

Any device that prevents a user from installing their own CA root cert is not one I would use. I'm not sure if they have started to do this or not.

In terms of protecting users, there's no valid reason the owner of the hardware should not be able to control the list of endpoints that she has already authenticated and is willing to trust.

It would be like if SSH did not allow the user any control over known_hosts or to decide that she will accept or not accept a connection.

[tokenizerrr]

The entire point of certificate pinning is to ignore the certificates the user installs... Nothing to do with the operating system at all. If the software doesn't want to connect because the wrong certificate is presented to it that's where it ends. You can install as many local roots as you want, it won't change a thing.

[__b__]

"... it won't change a thing."

So if the user does not want to trust a certificate installed by someone else on the device, she can "revoke" it?

And by the same token if she wants to explicitly trust a certificate, regardless of who installed it, she can do so?

Does the user have control of the process of "trust" or not? The entire point of the device, OS and apps is to benefit the user, not some third party trying to hide data being sent from the device... from the user.

Do you believe a user should be able to "MITM" her own traffic or not?

[tokenizerrr]

> Do you believe a user should be able to "MITM" her own traffic or not?

I do, but that is utterly irrelevant to this discussion. We are discussing what certificate pinning is and how it works.

You can currently perform certificate pinning on every single operating system you can imagine. You can do this in a way that completely ignores the trust store of that operating system, and anything the user does to this is ignored by the application.

This has been possible for years on Android. This has been possible for years on Windows. This has been possible for years on Linux.

All the developer has to do is include the certificate of their own CA with the application, restrict the SSL's trust store to this one certificate, and then also check the fingerprint of the resulting certificate offered by the server. Then if the application notices this fingerprint is incorrect, it bails.

This is reality. This is how it works. Nothing I believe or want will change this. No amount of certificates I install in my operating system's trust store will change this either.

What android is doing is making MITMing yourself harder. But it's always been 100% possible for developers to make MITMing impossible without first reverse engineering the app and replacing the baked in certificate.

That's just the way it works.

[mavhc]

A million times as many people are being spied on without their knowledge than want to check their own data though. Not like these things were invented because of users, they were added to stop MITM by governments etc.

If you don't want to use OSes, devices and software that's designed to protect the average user from being hacked, then pick a system which gives you root.