Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'd drop "hacking is cool" from this list and add "trusting the client".

I've seen an increase in attempts to trust the client lately, from mobile apps demanding proof the OS is unmodified to Google's recent attempt to add similar DRM to the web. If your network security model relies on trusting client software, it is broken.



It's not about security, it's about control. Modified systems can be used for nefarious purposes, like blocking ads. And Google wouldn't like that.


It's about control for Google and friends. If your bank's app uses SafetyNet, it's probably about some manager's very confused concept of security.


> If your bank's app uses SafetyNet, it's probably about some manager's very confused concept of security.

Or about making the auditor for the government-imposed security certification happy with the least amount of effort. It's always more work to come up with good answers why you are not doing the industry standard thing.


It only became a standard practice because of a misguided desire to rely on trusting the client.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: