"HTTPS is sufficient against MITM, until someone disables all verification to use their self-signed cert, or adds their poorly-secured "CA" cert to the allowed CA's for the download, or adds a weak cipher to the list. "
Or that attacker controls or can coerce a Certificate Authority in the OS's root list - like, say, just about any nation state...
Most apps - I suspect - are not pinning their TLS certs. Apple have already gotten onto a very public fight with the FBI.
Or that attacker controls or can coerce a Certificate Authority in the OS's root list - like, say, just about any nation state...
Most apps - I suspect - are not pinning their TLS certs. Apple have already gotten onto a very public fight with the FBI.