[SeriousM]

MitM on android works very well if you just use an app without a browser view. Android don't tell you that the certificate was changed and the app developer usually don't care to pin the certificate or check for the issuer. When using a random wifi, use a vpn just to be sure.

[ericpauley]

Which certificate authority does this new cert chain from? No reputable authority will issue valid certs for public WiFi MitM.

[SeriousM]

People can't distinguish the official wifi from a rouge one if it "sounds" official. Just go to a crowded place, name your wifi "Joes Coffee Shop" and people will connect to it in no time.

[leftcenterright]

I guess the point is about MiTM which you have not really answered, MiTM requires the man in the middle to present a webpage / api to the user over https with a valid certificate so that the browser or the android app would make connections to it. They just don't accept all tls certificates as valid, only the ones signed by CAs trusted by the device. It is the same for android. I guess you are confusing certificate pinning with standard TLS. Certificate pinning is an additional measure and prevents against compromised CAs etc. Standard TLS itself is sufficient to prevent MITM over https.

> MitM on android works very well if you just use an app without a browser view.

Do you have any examples showing this? Popular http clients like okhttp on mobile devices do perform TLS validation based on trusted CAs stored on the device. You would have to go out of your way to make them trust self-signed certificates to perform MITM or compromise a CA to issue you a certificate to allow MITM.