[dheera]

Most apps now use certificate pinning, i.e. they have the root certificate included in the app and signed as part of the app, so that method won't work.

On Android it's much easier to intercept and modify the behavior of apps and tell the system to disregard signatures and things of the sort.

[oefrha]

Maybe you live in an alternate reality, but in this reality most apps aren’t remotely sensitive enough to use cert pinning.

Also, since Android 7, even non-cert-pinned apps simply ignore user/admin-installed certificates; you can’t do anything without (1) rooting and injecting cert into root trust store; or (2) binary patching. Neither is easy, whereas installing a certificate as a profile on iOS is a trivial process.

[dheera]

They use cert pinning anyway.

I spent a while reverse-engineering Clubhouse's API and what data they were sending, and even they use cert pinning. Most of the big apps all do.

[theshrike79]

> On Android it's much easier to intercept and modify the behavior of apps and tell the system to disregard signatures and things of the sort.

This really doesn't increase my confidence in Android as an OS. I'd rather prefer it to be really hard to intercept and modify the behavior of apps and to make the system disregard signatures.

[dheera]

When I say it's easier, that doesn't mean any app can do it in user space, it's only easier because the OS itself is open source, you can modify it to your liking, and there is a decent community around alternate (also open source) images such as LineageOS which can give you very good control over what user space apps can and cannot do.

If you use an open source version of Android you can prevent even Google from tracking you. With iOS no matter how hard you try you can't really stop Apple from getting your info.