[wtbob]

Note that with the latest changes to Android, using mitmproxy to analyse the behaviour of apps has become impossible: apps refuse to accept personally-installed certificates.

In the future, we'll see less revelations about this sort of thing, not because it has become rarer but because Google have chosen a course of action which obscures it.

(it also breaks things like personal or corporate CAs, but that's a different problem)

[mhils]

+1 to this. We (mitmproxy) see the changes in Android Nougat as a very unfortunate development for this kind of privacy research. :(

Some context: https://github.com/mitmproxy/mitmproxy/issues/2054

[pyre]

It's also hardening against malware basically doing the same thing that mitmproxy does though.

[mhils]

For Android < N, if you install a custom CA, you'll get a permanent "Network may be monitored by an unknown third party" notification that cannot be dismissed and stays across reboots. Android wasn't really "insecure" in that regard beforehand.

Your point is valid, but I think it's a negligible improvement that comes in hand with severe implications for privacy research.