Xtek
Member
That's not entirely true. SSL only protects you if someone can't inject their own trusted root CA. A common way people 'man in the middle' cell phone apps is to get you to install an app that installs a malicious root CA (certificate authority). This then fools all apps on your phone into trusting an attackers cert because they can sign a cert that says they are Tesla and your app will gladly send it your credentials because the cert is signed by one of the CAs that your phone trusts.
This is why you should only install trustworthy apps.
As for progress on the project... I'm inching forward. Holidays and some home renovations have proven more distracting than I planned.
It is entirely true. SSL pinning prevents someone from injecting a CA even if you install the CA yourself. The only way around this is if you have an older OS version that doesn't have SSL pinning.
Certificate and Public Key Pinning - OWASP
EDIT: As proof try using Charles Proxy or Fiddler on a modern iOS/Android device. You can't MITM yourself. I wrote a C-level patch for iOS to disable SSL pinning, to get around it.