Hacker News new | past | comments | ask | show | jobs | submit login

> from mobile apps (most of which have to be encrypted now I think)

Since the end of 2016 on iOS and since Android v9, apps have to communicate over HTTPS. I guess you can technically visit HTTP sites via a browser, but I'd bet that >90% of the traffic from smartphones is over HTTPS.




> since Android v9, apps have to communicate over HTTPS

That isn't true. It is the default but Android lets you override the defaults and use unencrypted traffic both in WebViews and in networking APIs.


It’s not true in iOS either. It’s possible for an app to whitelist specific domains.


Do iOS or Android have any requirements vis a vis HSTS or HPKP?


banking apps require them anyway (because of pci-dss etc)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: