[thewataccount]

You can't do cert pinning if you're using the openai api directly though?

That only applies for internal api calls, at which point the requests/binary won't contain the openai key?

[varenc]

Ehh, I don't think it'd be that hard to implement cert pinning against OpenAI's APIs.

You just need some very permissive pinning, where you require any publicly trusted CA, to prevent MITM attacks. Basically only trust the root CAs a phone already trusts by default. You don't need coordination between the server and your client to implement this. All you have to do is prevent your TLS calls from trusting any certs signed by manually trusted CAs that Proxyman/Charles/etc might have had the user add.

Of course, that'll only delay the API keys leaking. With a jailbroken iPhone and Frida you can effectively disable cert pinning checks. Or extract the keys from memory, or binary analysis, etc.

[thewataccount]

> All you have to do is prevent your TLS calls from trusting any certs signed by manually trusted CAs that Proxyman/Charles/etc might have had the user add.

Yeah but I have certs signed by trusted root authorities a la letsencrypt?

[varenc]

The letsencrypt root CA is included in this. If you trust only a device’s default trusted CA all letsencrypt certs will work. Also they don’t have their own root CA: https://letsencrypt.org/certificates/

[thewataccount]

I'm dumb and realized I can get a letsencrypt cert but the domain won't match.....

[mrbombastic]

Yeah you are correct, only really can be done with apis you can control, even then it is a pain bc you need the certs and app in lockstep. But for example if your proxy api used an api key and you wanted an additional layer of security. Edit: sibling comment is interesting for an approach that might remove low hanging fruit