Ask HN: No HTTPS – Why do you trust an app?

10 pointsnewsignup10y ago6 comments

There is no way of knowing whether an app uses https or not. How do you trust an app, then?

6 comments

You have to trust the organization, same as always. If your bank/credit union doesn't use https in their app, they probably don't have a secure infrastructure period.

If the organization you're dealing with is incompetent, it doesn't matter if you communicate with https, carrier pigeon, or face-to-face. They'll still leave things open at some point and you'll get screwed.

And, as heinrichf points out, you can MITM and name-and-shame individual apps if you're technical.

tedmiston10y ago

A friend wrote a really nice blog post about this in 2013. It's always felt like the white elephant in the room of iOS apps.

"WebViews Are Not To Be Trusted" https://web.archive.org/web/20140213214723/http://matthodges...

heinrichf10y ago

You can redirect the traffic of your device through a proxy and sniff it (e.g. https://mitmproxy.org/) to determine if an app uses https or not, and furthermore if it performs certificate pinning.

newsignupOP10y ago

Yes but how would general public know about it? Its strange that whole of the web has moved so far with the https and yet apps have no such way of knowing.

MarkMc10y ago

A similar problem is that many apps ask me to log in with my Facebook password. With a browser I can see that my password is being sent directly to Facebook but with an app, who knows?

kleer00110y ago

I have tiers of trust based on levels of perceived risk, and that's multiplied with the frequency of use.

j / k navigate · click thread line to collapse