[frogsRnice]

There have been cases of applications not performing chain validation - see the paper Spinner: semi automatic detection of pinning without hostname verification (in particular page 8)

While it may be paranoid, there are still risks involved with connecting a device to an untrusted network

[bugtodiffer]

There have been cases? I see this kind of stuff all the time. I once saw an app that had a popup warning me that the TLS cert is wrong but still let me connect...

[frogsRnice]

Haha thats terrifying! I was just trying to point out that assuming that apps do this correctly is a bad idea; but my experience echoes yours, its a common mistake - even just browsing stack overflow people give some pretty gnarly advice.

Unless I’ve looked at the app myself i wouldnt touch public wifi - even then there are other risks to consider

[teekert]

Would you do it with a VPN? (I would, just checking)

[frogsRnice]

A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend

Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.

[bugtodiffer]

I wouldn't, especially not having looked at the VPN at first. It might expose you to even more attackers than could fit in your Starbucks

[teekert]

VPNs have a bad reputation, but I trust Mullvad (have used and paid them often), and Proton (currently paying them).

[bugtodiffer]

I trust Mullvad more than others, because IIRC they were one of the few that actually had RAM only infrastructure when they were audited