Skip to main content

One post tagged with "ssl-pinning"

View All Tags
DetectedMITM / replayCompliance

RobinHood TN: SSL certificate pinning blocks network interception on iOS + Android ✓ — but still no device-level geolocation

Robinhood (Prediction Markets)
robinhoodmitmssl-pinningip-onlyciV-60

Source. May 19, 2026 weekly sync.
Ticket. CIV-60: RobinHood — RAT.

What we tested

Network-level interception attacks against the RobinHood Tennessee prediction-markets product. Two tools across two platforms:

  • iOS — Charles Proxy attempting to intercept geolocation traffic.
  • Android — mitmproxy attempting to intercept and rewrite TLS traffic.

What happened

  • iOS: Charles Proxy was unable to capture any geolocation- related traffic. SSL certificate pinning is in place.
  • Android: mitmproxy produced a TLS handshake failure during app start-up, rendering the application unusable for any interception attempt.

Both platforms successfully resisted the network-level interception attack.

Why it matters — read both halves

The good half. SSL certificate pinning across iOS and Android is the right call. RobinHood's app cannot be talked at by a proxy in the middle. This rules out the "rewrite the geo response in flight" class of attack entirely.

The other half. RobinHood does not use a device-level geolocation SDK — location verification is IP-based only. The network they're protecting with SSL pinning is carrying IP-derived location, not GPS / Wi-Fi / motion / device- integrity signals. So:

  • MITM-class attacks are blocked.
  • Every spoofing class above the network layer (VPN, residential proxy, GPS simulator from a different state) remains uncontested by the application itself, because there is no application-side geolocation to bypass — there is only IP.

The overall compliance posture is still significantly weaker than any SDK-based solution. The MITM positive is real and worth recording — but it doesn't move the verdict on RobinHood's overall regulated- gaming readiness.

Cross-reference

  • RobinHood TN — no device-level geolocation (May 11) — the structural finding the MITM positive sits on top of.
  • This is not a competitor finding in the geo-vendor sense — RobinHood is the operator, and the relevant comparison is "what would a real geo SDK add here." Useful context when evaluating competitor footprints in prediction markets (Kalshi, Polymarket, etc.).

May 19 weekly sync →