jnowsecure
commented
11 months ago Update: This finding has been marked as resolved by Jack Nevill. No additional action is required.
Powered by NowSecure Platform
Closed jnowsecure closed 9 months ago
jnowsecure
commented
11 months ago Update: This finding has been marked as resolved by Jack Nevill. No additional action is required.
Powered by NowSecure Platform
jnowsecure
commented
11 months ago Update: This finding has been marked as no longer resolved by Jack Nevill. Additional action is required.
Powered by NowSecure Platform
jnowsecure
commented
9 months ago Update: This finding has been dismissed by Moi, Edwin with reason "risk accepted". No additional action is required.
Powered by NowSecure Platform
Finding Description
The app has globally allowed insecure connections.
By default, Android prohibits the use of cleartext communications in apps targeting Android 9 or above. If your app explicitly allows cleartext connections (using the unencrypted HTTP protocol instead of HTTPS), this will increases the risk of exposing sensitive data by accident.
There are two main ways that an app can allow cleartext connections:
android:usesCleartextTrafficis set totruein the Android manifest file.cleartextTrafficPermittedtotruewithin thebase-configelement of the Network Security Config to enable cleartext traffic globally for the app or withindomain-configfor a more fine-grained approach, which would apply this exception only to specific domains and their subdomains.Steps to Reproduce
The manifest file included with the app binary is analyzed, specifically the attributes
android:usesCleartextTrafficandandroid:networkSecurityConfig. If a Network Security Config file is specified, this test also inspects that file looking for the global settingcleartextTrafficPermittedbeing set totrue.Business Impact
The app is configured to allow insecure network connections, which could lead to sensitive data being intercepted or modified.
Remediation Resources
Recommended Fix
No evidence table is provided for this finding, because the conditions described are the only ones that can cause the finding to appear.
Starting with Android 9 (API level 28), cleartext support is disabled by default. You need to ensure that your app is not enabling it.
Review the Android manifest (AndroidManifest.xml) at the root of your project source set:
android:usesCleartextTrafficis not present. Otherwise, remove it.android:networkSecurityConfigis present. If yes, navigate to the file indicated by it's value, (typicallyres/xml/network_security_config.xml) and verify that there are no occurrences ofcleartextTrafficPermittedbeing set totrue. Otherwise, set them tofalseor remove them.If your app targets Android 8.1 (API level 27) or lower you must explicitly opt out of cleartext traffic.
Note: If your app needs to establish cleartext connections to some specific backends you may consider allowing cleartext only for those connections. However, this is represents a critical risk in your app and must be avoided at all costs. You should prefer to enable secure connections on that backend or replace it for another one that is secure.
Code Samples
Good Code Example (.xml)
Additional Guidance
<application>element https://developer.android.com/guide/topics/manifest/application-elementRisk and Regulatory Information
Severity: medium
CVSS: 5.3
Policy Category: Default Priority 1
Application
See more detail in the NowSecure Report