Anyone could use a network sniffer to see it is uploading *something*, but you c... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		avz on Dec 16, 2014 \| parent \| context \| favorite \| on: Android: I don't need your permission Anyone could use a network sniffer to see it is uploading something, but you can't tell what since the content may be encrypted. Advanced user may be able to follow the data in a debugger, but that's a lot of work. Very advanced user could instrument the code to perform data flow analysis, see https://www.cs.cmu.edu/~wklieber/papers/soap2014-didfail.pdf

avar on Dec 16, 2014 [–]

You can relatively easily MITM most applications by uploading a custom root certificate to your phone, and doing SSL termination + re-establishment on a router your phone is using.

stefs on Dec 17, 2014 | [–]

isn't this only true if the app isn't pinning certificates?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact