The application was found to be using a vulnerable version of the OkHttp library.
This indicates that an attacker could bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers on the same local or upstream network to bypass certificate pinning and potentially intercept and modify network data.
Steps to Reproduce
During static analysis, the binary is searched for vulnerable versions of the third-party library OkHTTP.
Business Impact
The app is using a 3rd party library to communicate which is not secure.
A malicious actor could remotely see and modify information coming to and from the app, potentially from multiple users at once.
Remediation Resources
Update the version of OkHttp used in the application to 4+.
Finding Description
The application was found to be using a vulnerable version of the OkHttp library. This indicates that an attacker could bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers on the same local or upstream network to bypass certificate pinning and potentially intercept and modify network data.
Steps to Reproduce
During static analysis, the binary is searched for vulnerable versions of the third-party library OkHTTP.
Business Impact
The app is using a 3rd party library to communicate which is not secure. A malicious actor could remotely see and modify information coming to and from the app, potentially from multiple users at once.
Remediation Resources
Update the version of OkHttp used in the application to 4+.
Risk and Regulatory Information
Severity: medium CVSS: 5.9
Application
See more detail in the NowSecure Report