> Unfortunately, the Venmo team doesn't seem like they care about their users' security and data privacy, and they are not validating SSL certificates.
Looking at the code, the client talks to https://api.venmo.com/v1 (over TLS). It's up to the client to validate the cert, so this statement makes no sense.
> I should mention that Venmo sends your email address and password as plain text when you log in.
It is sent over TLS, which is NOT plain text. The author has no idea what they are talking about.
> It's up to the client to validate the cert, so this statement makes no sense.
Given that they talk about reverse engineering the app, maybe they mean the official app not doing it. Not that a post about an API wrapper on a programming forum is a good place to communicate that.
3 comments
[ 1.6 ms ] story [ 13.0 ms ] thread> Unfortunately, the Venmo team doesn't seem like they care about their users' security and data privacy, and they are not validating SSL certificates.
Looking at the code, the client talks to https://api.venmo.com/v1 (over TLS). It's up to the client to validate the cert, so this statement makes no sense.
> I should mention that Venmo sends your email address and password as plain text when you log in.
It is sent over TLS, which is NOT plain text. The author has no idea what they are talking about.
Given that they talk about reverse engineering the app, maybe they mean the official app not doing it. Not that a post about an API wrapper on a programming forum is a good place to communicate that.
Irrespective, you have install a root certificate on your phone, which generally has pretty clear warning on the risks.
Certificate pinning can always be bypassed anyway, security through obscurity isn't security.