[merek]

> We installed mitmproxy on a Mac, configured an iPhone to route traffic through it, and installed the mitmproxy CA certificate on the device.

> All HTTPS traffic was decrypted and logged. No modifications were made to the traffic. The app was used as any normal user would use it.

Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert? I do quite a bit of network inspection on Android and I find it to be painful, even if the apps don't use certificate pinning.

Regardless, it highlights the importance of having control of our own devices, including the ability to easily inspect network traffic. We have the right to know where our data is being sent, and what data is being sent.

I recall during COVID it was discovered that Zoom was sending traffic to China. There was also the recent case of Facebook tracking private mobile browsing activity and sending it to their servers via the FB app. Imagine how much questionable traffic goes unnoticed due to the difficulty in configuring network inspection for apps.

[jeroenhd]

> Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert?

iOS still trusts user-installed certs by default, unlike Android's opt-in model.

However, this only applies to apps using the OS TLS stack. Apps packaging their open openssl may use their own set of certificate authorities. Also, most big apps use certificate pinning for most of their domains.

Apps from Twitter or Facebook probably won't work due to pinning. Quick and dirty could-have-been-a-single-web-page apps, such as this one, usually won't bother with any of that, and neither do many tracking libraries.

Of course, malicious apps can detect when someone is using an altered certificate and choose not to send traffic until the MitM is over.

[varun_ch]

Yes, it is _a lot_ easier to set up mitmproxy on iOS vs Android. But once you encounter an app with certificate pinning, being on a more open platform that lets you install your own apps can help get around that.

[varun_ch]

that said, mitming stuff even on Android can be a pain, so I use a rooted Android emulator with Frida. Even that can be a hassle sometimes.

https://www.trickster.dev/post/setting-up-rooted-android-emu...

[cedws]

Installing the CA requires jumping through some hoops, but yes, intercepting traffic for apps that don’t use cert pinning isn’t that difficult on iOS.

Apps that do use cert pinning is a whole other matter, I’ve tried unsuccessfully a few times to inspect things like banking apps. Needs a rooted device at the minimum.

[funman7]

So I assume the white house app doesn’t do cert pinning

Also looked into this a long time ago… could someone tell me how to do this with cert pinned apps ?

[selcuka]

In general you can't without patching the app itself, statically or at runtime using something like Frida.

[userbinator]

Regardless, it highlights the importance of having control of our own devices, including the ability to easily inspect network traffic. We have the right to know where our data is being sent, and what data is being sent.

Meanwhile I've always found it amusing that there's a loud, probably corporate-owned/Big-Tech-brainwashed subset of the "security" crowd who complains about MITM proxies.

[hn_go_brrrrr]

Are the MitM proxies the braindead ones that are hampering the evolution of SSL? Because those are terrible, no corporate shilling required.

[jacquesm]

> I recall during COVID it was discovered that Zoom was sending traffic to China.

Yes it was. Imagine, all those (lower) governments holding crisis meetings and sending the video and audio to China. What are the chances that all that stuff was recorded. Nice training data for some deepfakes.