[rektide]

would this work if Amazon was using cert pinning? cert pinning basically seems like a way to make apps able to resist user's having any freedom or power. the author here installs a custom CA to man-in-the-middle. now more & more apps use cert pinning, which would block that, I believe, & keep the user from being able to reverse engineer & probe.

imo the forces in favor of securing things have done the users great great damage. who are we securing things for? imo the security world needs to re-orient, & begin to harken to RFC 8890 The Internet is For End Users[1], allowing users some means to see how their systems are behaving. "secure" standards like cert-pinning favor giant companies & totalistic visions of security, taking from computing the person & personal. cert-pinning is a good layer of defense, but it takes away user affordances that must be added back.

[1] https://tools.ietf.org/html/rfc8890

[ptbrowne]

You're right, this technique would not work if Amazon had used cert pinning. I haven't yet tried to bypass a cert pinning app, but it seems that frameworks like Frida could help : https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-p....

[Godel_unicode]

Or just open up the apk in e.g. apk studio and replace the bundled cert with the one from your mitm proxy. Effectively, that'll repin the app to your proxy specifically. There are more exotic pinning methods that this won't solve (the forever cat-and-mouse game) but it's good for many apps.

[rektide]

It's a problem that, alas, must be tackled somewhat uniquely on every platform, where-as previously users were free to manage their own Certificate Authorities as they wished. Now users are safe & secure from themselves. :/ Admittedly there were a lot of problems with poorly managed CA stores, users being abused, but cert-pinning feels like such a drastic overreach in preventing any form of user control.

Techniques like this "rebuild your apk" are interesting & good to have, but every OS needs it's own bag of tricks. It's probably not a total show-stopper, but news like today's that Windows 10 will only install signed driver software (an admittedly niche-ish case), the closed Apple store,... there's a lot of places side-loading is not an option. Do those apps get a pass, get to be complete black-box software that we the users have zero ability to look at or understand?

[1] https://www.zdnet.com/article/windows-10-will-start-blocking...

[Godel_unicode]

You're making this sound so much harder than it is, though. None of the techniques for bypassing the security enhancements is difficult, nor are they undocumented. Who are these hobbyists who want to reverse engineer the whispersync protocol but can't follow a simple tutorial to swap out a CA?

[rektide]

you've listed one platform (of many) where it's possible to (in some cases where there is a .cert or .pem file sitting in an apk), updated that apk pkg, & then use side-loading (not available on os'es) to install that hacked package.

there's a number of caveats to your steps, it will definitely not be this easy in all cases. and i while this wasn't all that difficult, it's still a situation where the OS is actively working to prevent the user from being able to understand their system. and most platforms don't provide even this much of an affordance, of opening, rebuilding, & side-loading packages.

[Godel_unicode]

You're making this sound so much harder than it is.

[yellow_lead]

This module works well too. https://github.com/Fuzion24/JustTrustMe

[rektide]

Amazing tool, neat trick. It requires xposed framework though, which is an interception framework for Android that requires root access to install.

Less and less devices seem to have root, and almost no devices these days seem to allow unlocking the bootloader, which is even better.

It feels like users are getting kicked further & further & further out. We are less & less able to have any chance to understand what computing is, & this deeply deeply hurts us, I tend to believe.