How does that work? I assume these APIs use SSL, which should prevent such MitM attacks.
Are those Apps using the system SSL library which bypasses certificate validation for those domains? Or does the OS add a Root CA to the certificate store which signs fake certificates for those domains?
I forget the shape of the API but the pebble requests resources over Bluetooth and the mobile app actually makes the requests so it should be able to rewrite anything before/after a request easily.
Are those Apps using the system SSL library which bypasses certificate validation for those domains? Or does the OS add a Root CA to the certificate store which signs fake certificates for those domains?