9 comments

[ 4.5 ms ] story [ 26.3 ms ] thread
The problem is really android permissions. If an app wants to identify me by accessing my IMEI the prompt shouldn't be "Allow this app to make phone calls". It is very misleading because it falls under such a large umbrella without informing the user of anything useful.
If there were using https it would be keep secret no, with his "Burp" suite of investigation? That look like a sniffing method, not through decompilation - which is pretty trivial for android source. Anyway that's strange, or the article isn't technically accurate
(comment deleted)
I've used CharlesProxy to view HTTPS traffic from apps on my phone.
I'm not a pro in security but if you use a valid certificate with a certain domain name (not just a ip), it should be impossible to watch with a proxy in the middle? unless you cheat the certificate which are in the phone maybe?
Even with HPKP, many libs/apps behave like Firefox/Chrome in this respect:

""" Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.

"""

https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key...