Quote:
Originally Posted by easemail
I use the fastmail app on my phone and I wonder how "phishable" it would be using an authenticator app. I see how going through a browser would put you at risk, but does anyone know how robust the app is by chance? I assume that it's not just a simple browser wrapped app, but I'm not sure.
|
No matter what the app is, it has to send traffic to and from Fastmail's servers (just like the browser would do). It seems to me that that would be just as susceptible to a man-in-the-middle attack? Unless the app doesn't use DNS to look up the FM server's name and find its IP address - but it that were so it would also mean it couldn't be diverted to alternate FM servers (when eg FM have an outage on one set of servers). Or, unless the app encrypts traffic using a key that only it (and the FM servers) know - but is that possible? Couldn't bad guys reverse-engineer the app and discover the key?