Well that’s terrifying. I had no idea that adding a root certificate enabled man-in-the-middle like this. I had assumed that the root cert would have to be in the cert chain for the specific site to be intercepted. I’ve installed certs for employers before, but I had no idea they could intercept encrypted traffic for domains other than the work domains.

Do apps that worry about this kind of attack do additional encryption on top of using https?