I have a mobile application where all the request are going via HTTPS. I need to know if I pass my input parameters in the request as querystring and post params, is there any chance that my request parameters will get traced by a Hacker?? or it will be in an encrypted format and there will not be any issue??
Asked
Active
Viewed 865 times
0
-
possible duplicate of [Is an HTTPS query string secure?](http://stackoverflow.com/questions/323200/is-an-https-query-string-secure) – Cristian Greco Oct 18 '14 at 10:20
2 Answers
0
When using HTTPS, both querystring and post parameters are secure, because the underlying connection is secure.
Anyway, use of GET with querystring parameters containing sensitive data is discouraged (more here).
Cristian Greco
- 2,566
- 1
- 19
- 24
-
But in android we have custom ROMs also if someone rooted the device and installed a custom ROM whose security is weak then in that case is it possible that a Hacker can trace the sensitive information from request or response received from the server – Javed Ameen Shaikh Oct 20 '14 at 16:56
-
Well... of course it is possible that a ROM contains malicious binaries, but the same holds for any piece of software that you use on a daily basis, especially closed-source or pre-compiled binaries. We can only say that, as far as we know today, when the connection is encrypted both sides of the communication can trust each other and the content they are sending/receiving. But you simply can't defend from crafted binaries, flawed implementations, flawed protocols design (see SSLv3) or even human stupidity. :-) – Cristian Greco Oct 20 '14 at 18:24
-
I have used **Fiddler** to trace the https request going and unfortunately I am able to trace the inputs that I have provided in the URL get or post parameters. Here the only thing that I have noticed, if in mobile application or desktop browsers, if someone accepts untrusted (Self Signed Certificate) SSL connection then using Fiddler it is easier to get all the inputs passed from mobile device or browsers. As of now Fiddler is having untrusted certificate but **What if man in the middle is having a trusted SSL certificate inside Fiddler ?** – Javed Ameen Shaikh Nov 12 '14 at 14:14
0
Both sides are secure, at least at the current standard aof knowledge. If you use Get you may have problems.
Etixpp
- 320
- 2
- 11