Skip to main content

2 posts tagged with "ip-only"

View All Tags
DetectedMITM / replayCompliance

RobinHood TN: SSL certificate pinning blocks network interception on iOS + Android ✓ — but still no device-level geolocation

Robinhood (Prediction Markets)
robinhoodmitmssl-pinningip-onlyciV-60

Source. May 19, 2026 weekly sync.
Ticket. CIV-60: RobinHood — RAT.

What we tested

Network-level interception attacks against the RobinHood Tennessee prediction-markets product. Two tools across two platforms:

  • iOS — Charles Proxy attempting to intercept geolocation traffic.
  • Android — mitmproxy attempting to intercept and rewrite TLS traffic.

What happened

  • iOS: Charles Proxy was unable to capture any geolocation- related traffic. SSL certificate pinning is in place.
  • Android: mitmproxy produced a TLS handshake failure during app start-up, rendering the application unusable for any interception attempt.

Both platforms successfully resisted the network-level interception attack.

Why it matters — read both halves

The good half. SSL certificate pinning across iOS and Android is the right call. RobinHood's app cannot be talked at by a proxy in the middle. This rules out the "rewrite the geo response in flight" class of attack entirely.

The other half. RobinHood does not use a device-level geolocation SDK — location verification is IP-based only. The network they're protecting with SSL pinning is carrying IP-derived location, not GPS / Wi-Fi / motion / device- integrity signals. So:

  • MITM-class attacks are blocked.
  • Every spoofing class above the network layer (VPN, residential proxy, GPS simulator from a different state) remains uncontested by the application itself, because there is no application-side geolocation to bypass — there is only IP.

The overall compliance posture is still significantly weaker than any SDK-based solution. The MITM positive is real and worth recording — but it doesn't move the verdict on RobinHood's overall regulated- gaming readiness.

Cross-reference

  • RobinHood TN — no device-level geolocation (May 11) — the structural finding the MITM positive sits on top of.
  • This is not a competitor finding in the geo-vendor sense — RobinHood is the operator, and the relevant comparison is "what would a real geo SDK add here." Useful context when evaluating competitor footprints in prediction markets (Kalshi, Polymarket, etc.).

May 19 weekly sync →

MissedComplianceMITM / replay

RobinHood (TN, prediction markets): no device-level geolocation — IP-only, trivially bypassed

Robinhood (Prediction Markets)
robinhoodreplay-attackip-onlyprediction-markets

What we tested. RobinHood Tennessee prediction-markets product. Internal ticket CIV-60: RobinHood - RAT. Replay-attack test cycle (May 11 weekly).

What happened. No device-level geolocation in place. RobinHood relies solely on IP address to verify player location. Basic location- spoofing tools went undetected. A player can bypass all location restrictions without any sophisticated technical knowledge.

Why it matters. This is not a geo vendor finding — RobinHood is not using a geolocation product. It falls significantly short of regulated gaming standards and represents a meaningful compliance exposure. Worth tracking as a competitive opportunity (RobinHood prediction markets is a greenfield for a real geo product) and as context when evaluating competitor footprints in prediction markets (Kalshi, Polymarket are also in Locance's expansion list).

Cross-reference, same test cycle. Bet365 TN (Radar) replay-attack: network-level attacks fully blocked. Minor visibility gap in the verification flow but not exploitable in practice — no compliance risk.

Radar profile → · Xpoint profile →