
Ask HN: No HTTPS – Why do you trust an app? - newsignup
There is no way of knowing whether an app uses https or not. How do you trust an app, then?
======
patmcc
You have to trust the organization, same as always. If your bank/credit union
doesn't use https in their app, they probably don't have a secure
infrastructure period.

If the organization you're dealing with is incompetent, it doesn't matter if
you communicate with https, carrier pigeon, or face-to-face. They'll still
leave things open at some point and you'll get screwed.

And, as heinrichf points out, you can MITM and name-and-shame individual apps
if you're technical.

------
tedmiston
A friend wrote a really nice blog post about this in 2013. It's always felt
like the white elephant in the room of iOS apps.

"WebViews Are Not To Be Trusted"
[https://web.archive.org/web/20140213214723/http://matthodges...](https://web.archive.org/web/20140213214723/http://matthodges.com/2013/09/webviews-
are-not-to-be-trusted/)

------
heinrichf
You can redirect the traffic of your device through a proxy and sniff it (e.g.
[https://mitmproxy.org/](https://mitmproxy.org/)) to determine if an app uses
https or not, and furthermore if it performs certificate pinning.

~~~
newsignup
Yes but how would general public know about it? Its strange that whole of the
web has moved so far with the https and yet apps have no such way of knowing.

------
MarkMc
A similar problem is that many apps ask me to log in with my Facebook
password. With a browser I can see that my password is being sent directly to
Facebook but with an app, who knows?

------
kleer001
I have tiers of trust based on levels of perceived risk, and that's multiplied
with the frequency of use.

