Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why wouldn't the traffic of the Play Store not be going over SSL? I never looked myself, but I'd expect it to be encrypted.


FWIW, the Play Store web site forces you to https. I'd expect the app would as well.


I'd be curious to see what information is transferred by Android phones that is not through SSL. Given all the apps out there that have access to your personal data and could be transmitting whoknowswhat through non-ssl requests, probably enough ways to mess with someone.


Imagine using a pineapple http://wifipineapple.com/ and sitting in a coffee shop with your laptop out messing with people's insecure traffic! The ramifications of such could be quite potent given any chance that an insecure app could allow insertion of basically any content into a http request.

This is why you secure your damn wifi. Even if the password and user are on the wall, the traffic is still encrypted!


If you are in a coffeshop you too will likely have the passphrase to the WiFi, then you can still intercept traffic of your unsuspecting users, ARP poisoning and whatnot.

So just because its WPA2 doesnt make it magically safe from tampering.

And usually a coffeshop that has WPA2 will still have admin/admin as their router credentials, if you are lucky they have Linux and from there you have # and can use iptables to divert traffic to your device as you wish.


Fortunately there are a few projects out there that will let you wrap up a pretty decent radius+WPA2-enterprise setup -- but even with that ease-of-use -- the things that can go wrong to take down the network sky-rockets, and few coffee shops etc will be deploying it (too much hassle/too much time/too little awareness).

I believe there is ample opportunity to sell a "secure wifi box" with some kind of fanless linux/*bsd-box with a (more) secure access point in it than what most ISPs currently deliver. Throw in a caching, ad-blocking proxy... (Alternative business plan: give the boxes away, sell ads based on location -- (re)placing ads in web content...).


Also, don't most Google apps use certificate-pinning these days? I don't think this is super plausible.


Not that I'm aware of. I've man-in-the-middled a few of them in the past couple months. On my phone, Twitter and Foursquare are the only ones that I've seen that actually do certificate pinning.


As I understand google policy, they allow a user supplied CA to over-rule certificate pinning, to allow for the common use case of an enterprise supplied certificate rewriting at the firewall. So unless you're using one of the magic wildcard sub-ca certs issued by a default CA I suspect you're seeing the google apps allowing an exception to pinning.


If so, that's pretty cool. Happen to know if foursquare / twitter have anything in place that lets them handle the enterprise case w/o letting me mitm them?


nope. i've only heard of google doing any real messaging re: pinning.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: