• 0 Posts
  • 2 Comments
Joined 1 year ago
cake
Cake day: July 3rd, 2023

help-circle
  • As long as it’s installed on a device you control it’s pretty easy to sniff TLS traffic from an Android application, even if they’re pinning certs. I do this all the time for work. Frida makes it extremely easy, even giving you the ability to edit boringssl if something important is happening in native code. I’ve had to do this a couple times.

    If you don’t have root you’ll have to recompile the application though which could matter if you need the signature to not change, but that isn’t a common requirement.

    It’d be nice to have a better way to test though; I’ve wanted to check out Waydroid. Some coworkers just use an emulator which works great if it doesn’t need specific hardware.


  • This doesn’t seem to be a Rust problem, but a modern development trend appearing in a Rust tool shipped with Cargo. The issue appears to be the way things are versioned and (reading between the lines maybe?) vendoring and/or lockfiles. Lockfiles exist in a lot of modern languages and package managers: Go has go.sum, Rust has Cargo which has Cargo.lock, Python has pip which gives a few different ways to pin versions, JavaScript has npm and yarn with lock files. I’m sure there are tons of others. I’m actually surprised this doesn’t happen all the time with newer projects. Maybe it does actually and this instance just gains traction because people get to say “look Rust bad Debian doesn’t like it”.

    This seems like a big issue if you want your code to be packaged by Debian, and it doesn’t seem easy to resolve if you also want to use the modern packaging tools. I’m not actually sure how they resolve this? There are real benefits to pinning versions, but there are also real benefits to Debian’s model (of controlling all the dependencies themselves, to some extent Debian is a lockfile implemented on the OS level). Seems like a tough problem and seems like it’ll end up with a lot of newer tools just not being available in Debian (by that I mean just not packaged by Debian, they’ll likely all run fine on Debian).