By default, Android prohibits the use of cleartext communications in apps targeting Android 9 or above. Opting out of this increases the risk of regressing to cleartext traffic and exposing sensitive data by accident.
This is particularly the case when cleartextTrafficPermitted is applied at the base-config level, which would allow cleartext traffic for all connections initiated by the app. Opposed to this is fine-grained per-domain whitelisting of domain-config, which would apply this exception only to specific domains and their subdomains.
Steps to Reproduce
The manifest file included with the app binary is analyzed, specifically the section under android:networkSecurityConfig which usually additionally references the file under res/xml/network_security_config.xml. This looks for the global setting cleartextTrafficPermitted being set to true at the base-config level. No evidence table is provided for this finding, because this condition is the only one that can cause the finding to appear.
Business Impact
The app is configured to allow insecure network connections, which could lead to sensitive data being intercepted or modified.
Remediation Resources
Recommended Fix
Review the network security configuration of the application. Ideally, there should be no cleartext connections and therefore cleartextTrafficPermitted should not be set to true for any connections.
If this is not possible, e.g. if there is a dependency that relies on cleartext connections that you do not control and cannot replace, consider enabling cleartextTrafficPermitted only for connections established by that dependency. In the long term, you should look into replacing that dependency with one that does not make cleartext connections.
Finding Description
By default, Android prohibits the use of cleartext communications in apps targeting Android 9 or above. Opting out of this increases the risk of regressing to cleartext traffic and exposing sensitive data by accident. This is particularly the case when cleartextTrafficPermitted is applied at the base-config level, which would allow cleartext traffic for all connections initiated by the app. Opposed to this is fine-grained per-domain whitelisting of domain-config, which would apply this exception only to specific domains and their subdomains.
Steps to Reproduce
The manifest file included with the app binary is analyzed, specifically the section under
android:networkSecurityConfig
which usually additionally references the file underres/xml/network_security_config.xml
. This looks for the global settingcleartextTrafficPermitted
being set totrue
at thebase-config
level. No evidence table is provided for this finding, because this condition is the only one that can cause the finding to appear.Business Impact
The app is configured to allow insecure network connections, which could lead to sensitive data being intercepted or modified.
Remediation Resources
Recommended Fix
Review the network security configuration of the application. Ideally, there should be no cleartext connections and therefore cleartextTrafficPermitted should not be set to true for any connections. If this is not possible, e.g. if there is a dependency that relies on cleartext connections that you do not control and cannot replace, consider enabling cleartextTrafficPermitted only for connections established by that dependency. In the long term, you should look into replacing that dependency with one that does not make cleartext connections.
Code Samples
Good Code Example (.xml)
Additional Guidance
Risk and Regulatory Information
Severity: medium CVSS: 5.3
Application
See more detail in the NowSecure Report