科技回声

There is no way of knowing whether an app uses https or not. How do you trust an app, then?

You have to trust the organization, same as always. If your bank/credit union doesn't use https in their app, they probably don't have a secure infrastructure period.<p>If the organization you're dealing with is incompetent, it doesn't matter if you communicate with https, carrier pigeon, or face-to-face. They'll still leave things open at some point and you'll get screwed.<p>And, as heinrichf points out, you can MITM and name-and-shame individual apps if you're technical.

A friend wrote a really nice blog post about this in 2013. It's always felt like the white elephant in the room of iOS apps.<p>"WebViews Are Not To Be Trusted" <a href="https://web.archive.org/web/20140213214723/http://matthodges.com/2013/09/webviews-are-not-to-be-trusted/" rel="nofollow">https://web.archive.org/web/20140213214723/http://matthodges...</a>

You can redirect the traffic of your device through a proxy and sniff it (e.g. <a href="https://mitmproxy.org/" rel="nofollow">https://mitmproxy.org/</a>) to determine if an app uses https or not, and furthermore if it performs certificate pinning.

A similar problem is that many apps ask me to log in with my Facebook password. With a browser I can see that my password is being sent directly to Facebook but with an app, who knows?

I have tiers of trust based on levels of perceived risk, and that's multiplied with the frequency of use.

There is no way of knowing whether an app uses https or not. How do you trust an app, then?

A similar problem is that many apps ask me to log in with my Facebook password. With a browser I can see that my password is being sent directly to Facebook but with an app, who knows?

I have tiers of trust based on levels of perceived risk, and that's multiplied with the frequency of use.

Ask HN: No HTTPS – Why do you trust an app?

5 条评论

Ask HN: No HTTPS – Why do you trust an app?

5 条评论