Comment by OptionOfT

Not sure why you're downvoted.

You create a server and host it on IP x. You create a cert for it. You add the public key to your app.

Your app can now communicate with that IP over port 443 with that certificate. Remember that the idea that the domain must match the one in the certificate is a setting, enforced by the browsers. If you run your own code you can perfectly override that.

Now you can do whatever you like on that connection.

In fact, you don't HAVE to go that far. Many applications these days do private key pinning and use that connection to load the ads. IMDb does that on the iPhone.

MyQ and myBMW use the same to 'protect' the connection. MyQ's implementation of this, and subsequent implementation of CloudFlare's bot protection completely broke home-assistant's connection. All because they want you to use their app (and get bombarded with ads).

Doh/DoT was supposed to bring in MORE privacy for users, as it allowed users to resolve addresses without the system servicing the connection (ISP / StarBucks / McDonald's) from being able to see or modify the responses (think captive pages).

But all it brought was more spying. I am a firm believer that I should be able to inspect all traffic that an application sends out over my internet connection.