Hacker News new | past | comments | ask | show | jobs | submit login

Simply verifying the certificate is not enough, it is simple to decompile and reverse-engineer an IPA to bypass certificate checks.

You should NOT be sending such sensitive information on other users, encrypted or not. Unless of course you want to continue this trend of violating your user's privacy.




Given access to the device, I find it much easier and simpler to install my own Certificate Authority than to decompile and modify the IPA.

The CA can also be provided in a .mobileprofile, installable through email.

It also validates as a legitimate certificate, unless the app is looking for a particular certificate, which I think is rare.


To clarify, sensitive information is no longer transferred at all. This was hotfixed earlier today.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: