If an Android developer uses the Google SDKs, such as Google Play Services <https://developer.android.com/google/play-services/index.html>, or the Google APIs, will connections made by those APIs to Google be pinned or will they be vulnerable to MiTM attacks (e.g. rogue CA certificate)? I assume that these libraries are not doing their own pinning with their own TrustManager but are expecting the platform libcore enhancements made in Android 4.2 to provide this for them?
If this is the case, then those API calls to Google would be completely vulnerable to MiTM attack using rogue certificates on Android before 4.2? If so, is there any alternative mitigations out there to lock those connections down on older Android versions that still make up just under 50% of the market? -Jason -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
