> We installed mitmproxy on a Mac, configured an iPhone to route traffic through it, and installed the mitmproxy CA certificate on the device.
> All HTTPS traffic was decrypted and logged. No modifications were made to the traffic. The app was used as any normal user would use it.
Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert? I do quite a bit of network inspection on Android and I find it to be painful, even if the apps don't use certificate pinning.
Regardless, it highlights the importance of having control of our own devices, including the ability to easily inspect network traffic. We have the right to know where our data is being sent, and what data is being sent.
I recall during COVID it was discovered that Zoom was sending traffic to China. There was also the recent case of Facebook tracking private mobile browsing activity and sending it to their servers via the FB app. Imagine how much questionable traffic goes unnoticed due to the difficulty in configuring network inspection for apps.
Yes, it is _a lot_ easier to set up mitmproxy on iOS vs Android. But once you encounter an app with certificate pinning, being on a more open platform that lets you install your own apps can help get around that.
Installing the CA requires jumping through some hoops, but yes, intercepting traffic for apps that don’t use cert pinning isn’t that difficult on iOS.
Apps that do use cert pinning is a whole other matter, I’ve tried unsuccessfully a few times to inspect things like banking apps. Needs a rooted device at the minimum.
Perhaps if Trump did not want his opponents to be deranged about him, he should not have published a video where he puts on a crown then gets in a bomber jet and dumps poo on them. But of course, that's the trick; I've been called deranged in the past just for accurately reporting that he published that video!
What's the point of lying like this? You know and I know that Trump would not take it in good humor if a CEO or politician posted a video of themselves pooping on him. Nor would you take it in good humor if your boss posted a video of themselves pooping on you. There's just nothing humorous about it.
So like... most b2c apps out there? I checked app privacy report for a few such apps I have installed and also got a very high proportion of third party domains. Maybe not as high as 77% but definitely above 50% (ie. more domains are third party than first party). The most surprising part here is them refusing to put correct info in the "data collected" section of the app store listing.
edit: they seemed to have updated the store listing, so the "data collected" section is correct.
No one put words in your mouth, they asked you a question. You are the one who made the initial comparison to B2C apps, so it seems like a fair question to me. Your comment implies that its standard and the app isn't doing anything out of the ordinary when I think most people would except an official government app to be held to a higher standard than the average B2C app.
>You are the one who made the initial comparison to B2C apps, so it seems like a fair question to me.
The relevant part of B2C is the 2C part, not the B. Mass market apps are generally ridden with telemetry and SDKs. Moreover I'm not sure how you think it's a "fair question" to go from a remark about how other apps are equally bad, to thinking I want the US government to operate as a business. It's like doing:
A: "I called the IRS and was put on hold for 2 hours, can you believe that?"
B: "To be fair that's the experience calling into most businesses, like banks or the cable company"
A: "Wow so you think we should be running the IRS like a bank?"
>I think most people would except an official government app to be held to a higher standard than the average B2C app.
Is this a "yes, in an ideal world that's how things should be" type of statement, or are you claiming "yes, government agencies have a track record of delivering technical excellence on software projects, and this particular project was especially bad"? The former is basically a meaningless platitude, and I don't think anyone seriously thinks the latter is true.
Ok, so then it just sounds like whataboutism. Those other apps are just as bad. The tone of your original post sounded like you were defending the app's bad behavior. A lot of people might have mistaken your intent, which you clarified in [1].
The flip side of "whataboutism" is "isolated demands for rigor"[1]. Going back to the IRS example, is it a fair retort to point out that IRS's hotline only sucks as much as any other large organization's hotline, or is it "whataboutism"?
It's the government, the US government. By far the largest employer and spender in the world. So yes, they are held to a higher standard. Businesses intentionally throttle customer service lines for profit reasons. The government should not. How is this difficult to understand?
Specifically because it's not a natural market. There are people who secure a 2-year, consequence-free term to impact U.S. law, at the behest of people with money.
Lobbying is special interests dictating decisions that often are not financially, morally, or otherwise ideal/beneficial to the other party (the United States and its people). This wouldn't fly at any corporation or business because there would be direct impacts on the bottom line or reputation of the company.
I'm sure that HN's preferred app would be <5MB, and has zero third party SDKs or telemetry, but half a dozen SDKs and third party domains is basically most mass market apps these days. Is it bad? Yes, but the whitehouse isn't being egregiously bad, but "whitehouse app is bad, just like most other apps" isn't going to get clicks.
If only. It would be a far better state of of affairs if the US government sucks like every other first world country. No other first country are waging war in the middle east, having paramilitary forces terrorize residents, or are undergoing a partial government shutdown.
Right, the White House is collecting data and sending it to Huawei, and overall collection rate is worse than any other app you’ve seen by a wide margin.
That makes me net more surprised after reading your comment.
You're not surprised the white house is worse than any other app you've seen by 20%?
> All HTTPS traffic was decrypted and logged. No modifications were made to the traffic. The app was used as any normal user would use it.
Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert? I do quite a bit of network inspection on Android and I find it to be painful, even if the apps don't use certificate pinning.
Regardless, it highlights the importance of having control of our own devices, including the ability to easily inspect network traffic. We have the right to know where our data is being sent, and what data is being sent.
I recall during COVID it was discovered that Zoom was sending traffic to China. There was also the recent case of Facebook tracking private mobile browsing activity and sending it to their servers via the FB app. Imagine how much questionable traffic goes unnoticed due to the difficulty in configuring network inspection for apps.
https://www.trickster.dev/post/setting-up-rooted-android-emu...
Apps that do use cert pinning is a whole other matter, I’ve tried unsuccessfully a few times to inspect things like banking apps. Needs a rooted device at the minimum.
https://news.ycombinator.com/item?id=47555556 https://news.ycombinator.com/item?id=47577761
https://appgoblin.info/apps/gov.whitehouse.app/sdks
People should care.
edit: they seemed to have updated the store listing, so the "data collected" section is correct.
The relevant part of B2C is the 2C part, not the B. Mass market apps are generally ridden with telemetry and SDKs. Moreover I'm not sure how you think it's a "fair question" to go from a remark about how other apps are equally bad, to thinking I want the US government to operate as a business. It's like doing:
A: "I called the IRS and was put on hold for 2 hours, can you believe that?"
B: "To be fair that's the experience calling into most businesses, like banks or the cable company"
A: "Wow so you think we should be running the IRS like a bank?"
>I think most people would except an official government app to be held to a higher standard than the average B2C app.
Is this a "yes, in an ideal world that's how things should be" type of statement, or are you claiming "yes, government agencies have a track record of delivering technical excellence on software projects, and this particular project was especially bad"? The former is basically a meaningless platitude, and I don't think anyone seriously thinks the latter is true.
1: https://news.ycombinator.com/item?id=47596187
The flip side of "whataboutism" is "isolated demands for rigor"[1]. Going back to the IRS example, is it a fair retort to point out that IRS's hotline only sucks as much as any other large organization's hotline, or is it "whataboutism"?
[1] https://slatestarcodex.com/2014/08/14/beware-isolated-demand...
See my earlier comment about how this is a meaningless platitude.
>Businesses intentionally throttle customer service lines for profit reasons. The government should not.
None of this was presupposed in the original comment, only that wait times are long.
If so, why do you think lobbying exists?
I'm not saying it should be run like a business, but it is naive to think it isn't run like one.
Specifically because it's not a natural market. There are people who secure a 2-year, consequence-free term to impact U.S. law, at the behest of people with money.
Lobbying is special interests dictating decisions that often are not financially, morally, or otherwise ideal/beneficial to the other party (the United States and its people). This wouldn't fly at any corporation or business because there would be direct impacts on the bottom line or reputation of the company.
Would you like to be able to ask your representative to focus on a particular issue?
That makes me net more surprised after reading your comment.
You're not surprised the white house is worse than any other app you've seen by 20%?
???