[throwaway2016a]

You may be a little optimistic here. Just because the technology exists does not mean everyone uses it.

I use a MITM proxy to reverse engineer my IoT apps all the time (a lot of them don't provide public APIs but I want to use them from my controller app). I have not once ran into one that used pinning.

[nnd]

Most of the popular consumer apps use SSL pinning these days.

[throwaway2016a]

Is that a fact or assumption? Do you have a source?

That's not a jab at you I am legitimately interested in reading it if you have a source.

I have literally not found one I cared about doing a MitM exploit on that actually did it. Granted I haven't tried social networks because my interest lies mostly in apps that don't have public APIs and most social Networks have APIs.

I won't say who they are because this is not the right venue but I can say for certain that neither my bank or my alarm company uses pinning.

[nnd]

From personal experience reverse-engineering apps: whatsapp, facebook, twitter, skype, uber, snapchat, instagram - all pinned. The trend is definitely there, more and more apps adopt certificate pinning.

[mhils]

This is true for the app store top 10, but from what I've seen not much out of that. In practical terms, the bigger problem is Android 8, which does not trust user-added CAs for app traffic (https://github.com/mitmproxy/mitmproxy/issues/2054#issuecomm...). It's a really odd move by Google against privacy researchers.

[nnd]

Weird, so much for a "hacker-friendly" operating system.

I wonder if you can bypass this behavior by rooting the device?

[tarnacious_]

If you have root access, you can [1]. You can also build your own apps to trust the "user" certificates [2].

[1]: https://blog.jeroenhd.nl/article/android-7-nougat-and-certif...

[2]: https://android-developers.googleblog.com/2016/07/changes-to...