The application contains code which overrides Android's built in certificate validation procedures and allows HTTPS connections to be created without establishing trust properly. If this connection is created, remote attacked could intercept and modify that traffic to and from the app. This type of vulnerability can also be flagged as a blocker by the Android Play Store.
Steps to Reproduce
This check looks for custom implementations of the Android HostnameVerifier which does not perform proper checks against certificates and handle exceptions properly. Exceptions are how the method handles bad certificates and must be accounted for to prevent establishing insecure connections.
Business Impact
The app has code which overrides built in security protections. That code allows for insecure network connections to be created which expose users to remote attacks and information leakage.
Remediation Resources
If avoidable, do not create your own implementations of certificate validation - in this case removing the code which is overriding the default implementation will likely remediate this check, however that may not be an option for your app. If you have to implement your own make certain that checkServerTrusted properly handles exceptions as they indicate a problem with the certificate being evaluated.
The Findings Evidence below gives the class and method of the code which is being flagged as insecure. More verbose data is available in the raw output of the debugging section.
Finding Description
The application contains code which overrides Android's built in certificate validation procedures and allows HTTPS connections to be created without establishing trust properly. If this connection is created, remote attacked could intercept and modify that traffic to and from the app. This type of vulnerability can also be flagged as a blocker by the Android Play Store.
Steps to Reproduce
This check looks for custom implementations of the Android HostnameVerifier which does not perform proper checks against certificates and handle exceptions properly. Exceptions are how the method handles bad certificates and must be accounted for to prevent establishing insecure connections.
Business Impact
The app has code which overrides built in security protections. That code allows for insecure network connections to be created which expose users to remote attacks and information leakage.
Remediation Resources
If avoidable, do not create your own implementations of certificate validation - in this case removing the code which is overriding the default implementation will likely remediate this check, however that may not be an option for your app. If you have to implement your own make certain that
checkServerTrustedproperly handles exceptions as they indicate a problem with the certificate being evaluated. The Findings Evidence below gives the class and method of the code which is being flagged as insecure. More verbose data is available in the raw output of the debugging section.Risk and Regulatory Information
Severity: high CVSS: 7
Application
See more detail in the NowSecure Report