[rektide]

you've listed one platform (of many) where it's possible to (in some cases where there is a .cert or .pem file sitting in an apk), updated that apk pkg, & then use side-loading (not available on os'es) to install that hacked package.

there's a number of caveats to your steps, it will definitely not be this easy in all cases. and i while this wasn't all that difficult, it's still a situation where the OS is actively working to prevent the user from being able to understand their system. and most platforms don't provide even this much of an affordance, of opening, rebuilding, & side-loading packages.

[Godel_unicode]

You're making this sound so much harder than it is.

[rektide]

I sincerely do not think so & I genuinely & I think appropriately fear that humankind is quickly approaching an era where they have no power to understand what their softwares are doing.

This is already the case on iphone, I think. You have only outlined the most bare-basic case on Android. if certs were embedded this would not work. Who knows about osx & windows. It's much much much much harder & in many cases already impossible. The security people seem only to want to guard the applications, continually at the expense of the user. Who will fight for the user?

I think I am on the bead here.

[Godel_unicode]

I'm aware that you think that. What I'm struggling with is, in the face of all the evidence in this thread and others, why. This stuff is easy. It's well documented. There are YouTube videos literally (like, literally literally) walking through every step of the process. The fact that you specifically do not know how to do it right now doesn't mean it can't be done, or even that it's hard. The fact that your argument is "who knows about..." and not a specific example is a big clue that you might be baselessly worried about the sky falling. You claim that users are walled off, yet you haven't produced a single example of that being true.

The fact that the cost to exploit end user devices in an irreversible, hard to detect way has been raised is a real benefit to the user. The fact that mitm of banking apps is very difficult without protracted user interaction is a real benefit to the user. There are, conservatively, hundreds of millions of users having their lives made better by security people fighting for them every day to make their devices safer to use in a hostile world.

Do you also object to TLS? What about centrally generated electricity?

[rektide]

If anyone has been citing no examples, imo, it's you. I have elaborated & elaborated & elaborated, & you have said nothing to contend with other than 'it's easy'. I disagree. I've tried to talk to that at length. You've left everything but your one happy easy path to modifying a cert untouched, not commenting on a single one of the difficulties I've raised.

I think TLS was mis-designed for an in-appropriate & indecent form of security that does not give permissions to the most important actor.

Leaving the CA store on the hard drive, free to be modified by the user & sys-ops in a judicious careful manner was respectful of systems agency, giving a wide range of respect to different ways systems might need to be operated. Now, there are very few permissible ways to modify behavior. The system has closed down, locked down, become less programmable, less configurable. This advancement of the unmalleable is, imo, notable, prominent, progressing (on a wide variety of fronts), & obviously bad.

[Godel_unicode]

You provided one specific example, I explained how trivial that example was to hack around. Since then there's been nebulous pearl-clutching about how security is bad. If you had provided specific examples of how you think things are difficult, I would have explained how wrong you are. Unpinning certs is easy. Removing embedded certs is easy. Hooking verification functions is easy. If you possess the hardware, you win.

[rektide]

Most of the tool I've seen requires jailbroken/rooted devices. So only a handful of devices are even capable of these techniques. The latest iOS 14 has not yet been broken. Increasingly few Android devices can be unlocked or rooted, have been properly exploited into this mode.

I've said numerous times I thought your example was rosy. Removing embedded certs from Windows, OSX, iOS, Android programs seems like, in many cases, it could be difficult, as I don't feel like just removing the content is going to change app code that may be asking explicitly for pinning. Hooking verification functions as some of the xposed frameworks do seems viable, but again, this all is contingent on users having a level of access that most devices actively work to prevent, that requires the device to be exploited to achieve.

The security climate is in fact quite chilling. Everything you say is possible, but it requires increasingly rare access to the device, and increasing advanced levels of reverse engineering. The days when one could add their own CA to the store & intercept- those made sense- and they are long gone. The app makers, the OS makers, are securing devices against this kind of user-level control.