
Hit App Sarahah Quietly Uploads Your Address Book - mcone
https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/
======
dehef
If there were using https it would be keep secret no, with his "Burp" suite of
investigation? That look like a sniffing method, not through decompilation -
which is pretty trivial for android source. Anyway that's strange, or the
article isn't technically accurate

~~~
albeebe1
I've used CharlesProxy to view HTTPS traffic from apps on my phone.

~~~
dehef
I'm not a pro in security but if you use a valid certificate with a certain
domain name (not just a ip), it should be impossible to watch with a proxy in
the middle? unless you cheat the certificate which are in the phone maybe?

~~~
SallySwanSmith
[https://www.owasp.org/index.php/Certificate_and_Public_Key_P...](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning)
Would be required

~~~
nlo
Even with HPKP, many libs/apps behave like Firefox/Chrome in this respect:

""" Firefox and Chrome disable pin validation for pinned hosts whose validated
certificate chain terminates at a user-defined trust anchor (rather than a
built-in trust anchor). This means that for users who imported custom root
certificates all pinning violations are ignored.

"""

[https://developer.mozilla.org/en-
US/docs/Web/HTTP/Public_Key...](https://developer.mozilla.org/en-
US/docs/Web/HTTP/Public_Key_Pinning)

