Hacker News new | past | comments | ask | show | jobs | submit login

In line with the age-old advice on how sausages are made, here's my advice: don't ever inspect the data leaving a mobile device.

– Just as I was about to add this comment, I remembered how it's not limited to mobile devices anymore.

(Thankfully with certificate pinning and integrity checking you may be spared of the risk of ever finding out what your apps actually do. Remember: only weirdos and terrorists tinker.)




Certificate pinning and integrity checking will only come into play if the services move to HTTPS :). Sadly, Emirates is sending HTTP links to help user's manage booking.


Certificate pinning is going away: http://www.zdnet.com/article/google-chrome-is-backing-away-f...

I think we can be confident that sites that don't even use CSP won't be implementing Expect-CT any time.


HPKP is what the article you posted to is referring to, and probably will go away completely.

However, profiling the public key of the site a mobile app connects to and erroring out if it is compromised to prevent MitM attacks is called 'certificate pinning' for mobile apps but is not related to the HPKP pinning of browsers. A reference for certificate pinning: https://blog.netspi.com/certificate-pinning-in-a-mobile-appl...


It seems grandiose to call that 'certificate pinning' when it is just hard coding, e.g. a self-signed CA cert or (worse) a particular server cert.

Makes me suspect that a lot of client side validation is happening with mobile apps.


Presumably GP was talking about in-app certificate pinning, not Google’s opinion of the day...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: