• 20 Posts
  • 1.2K Comments
Joined 1 year ago
cake
Cake day: July 5th, 2023

help-circle








  • Avid Amoeba@lemmy.catoTechnology@lemmy.worldWhat the hell Proton!
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    2 days ago

    The OS interfaces provided to apps (generally POSIX) have no idea what HTTP is. They’re much lower level than that. If an OS is to control what protocols are used by apps, it has to offer some functionality that does HTTP for the apps and apps have to use it. Unfortunately the only way to force that would be to disable the general OS interfaces so that apps can’t just use existing libraries that use those. If you did that your OS would become useless in other ways that rely on the basic interfaces.

    The other way the OS could do anything about it is to inspect network traffic going over its network interfaces. That would be a significantly different can of worms and it’s not free in terms of processing power and therefore battery. Then you’d have the screams of privacy people that Android or iOS is looking at all network traffic.

    So all in all, the OS isn’t very well suited to police application level protocols like HTTP. At least not on devices whose primary purpose isn’t network traffic related.






  • Apps don’t use the system browser to connect to REST endpoints. Neither do they use the OS. Apps typically use a statically linked library. There are use cases for HTTP-only connections so it’s unlikely that those libraries would mess with forcing or even warning its users that they’ve used HTTP instead of HTTPS. Point is Google and Apple can do little in this regard. Unless they scan apps’ source code which could be possible to some extent but still difficult because URLs are often written in pieces.


  • Avid Amoeba@lemmy.catoTechnology@lemmy.worldWhat the hell Proton!
    link
    fedilink
    English
    arrow-up
    74
    arrow-down
    2
    ·
    edit-2
    2 days ago

    Yup. You can grab any unencrypted data passed between the user’s browser and a server literally out of thin air when they’re connected to an open access point. You sit happily at the Starbucks with your laptop, sniffing them WiFi packets and grabbing things off of them.

    Oh and you have no idea what the myriad of apps you’re using are connecting to and whether that endpoint is encrypted. Do not underestimate the ability of firms to produce software at the absolute lowest cost with corners and walls missing.

    If I was someone who was to make money off of scamming people, one thing I’d have tried to do is to rig portable sniffers at public locations with large foot traffic and open WiFi like train stations, airports, etc. Throw em around then filter for interesting stuff. Oh here’s some personal info. Oh there’s a session token for some app. Let me see what else I can get from that app for that person.



  • There’s zero MS in the stack on anything with SYNC4 and newer. Your salesperson is wrong. Even development is largely done on Ubuntu. SYNC 4 has two front ends, one’s Qt which has some Panasonic outsourcing baggage, the newer one is web based. The latter is what’s in the Mach-e. Since about 2017 all of this has moved in house. Ford hired the whole BlackBerry mobile R&D org in late 2016 - people, offices and everything. It’s had an honest-to-god software org since then.

    Your Flex probably had the older SYNC iteration that was MS developed. BTW I’m not sure if it was Windows based or whether it was QNX with MS devs creating the software stack on top of it.