The application was found to transmit zip files over the network inside HTTP. A remote attacker could execute arbitrary code by intercepting and modifying insecure communications in the app resulting in data exfiltration or changing how the app functions. Zip files should be closely controlled and protected as they are often crucial to apps processes, security and privacy. Once an attacker has RCE, they can leverage the app as a phishing vector, malware, to steal confidential data, monitor the user or display offensive content. This vector could also be used to bypass controls used by the app to protect intellectual property.
Steps to Reproduce
While running the app on a physical device, checks any HTTP traffic for .zip files sent to the app.
Business Impact
This app is receiving data insecurely. It is possible to modify how the application works and gain access to sensitive information or even the device itself.
Remediation Resources
Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, or other sensitive data is going to be communicated to a backend API or web service.
Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.
An even more secure approach is to use Certificate Pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate Pinning is making sure the client checks the server's certificate against a known copy of that certificate. Simply bundle your server's certificate inside your application, and make sure any SSL/TLS request first validates that the server's certificate exactly matches the bundle's certificate.
For some apps, Certificate Pinning may be impossible to do. If your app allows users to enter in their own domain names to connect to services, then you have no opportunity to embed that certificate. However, if your app is intended to connect to a known server, or set of servers, you have all the information you need to guarantee that client is indeed talking directly to the server and without a man in the middle eavesdropping. Details and code snippets can be found at https://developer.android.com/training/articles/security-ssl.
The evidence table provides the endpoint the data was sent to or from, as well as the payload the data was included in.
Finding Description
The application was found to transmit zip files over the network inside HTTP. A remote attacker could execute arbitrary code by intercepting and modifying insecure communications in the app resulting in data exfiltration or changing how the app functions. Zip files should be closely controlled and protected as they are often crucial to apps processes, security and privacy. Once an attacker has RCE, they can leverage the app as a phishing vector, malware, to steal confidential data, monitor the user or display offensive content. This vector could also be used to bypass controls used by the app to protect intellectual property.
Steps to Reproduce
While running the app on a physical device, checks any HTTP traffic for .zip files sent to the app.
Business Impact
This app is receiving data insecurely. It is possible to modify how the application works and gain access to sensitive information or even the device itself.
Remediation Resources
Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, or other sensitive data is going to be communicated to a backend API or web service. Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname. An even more secure approach is to use Certificate Pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate Pinning is making sure the client checks the server's certificate against a known copy of that certificate. Simply bundle your server's certificate inside your application, and make sure any SSL/TLS request first validates that the server's certificate exactly matches the bundle's certificate. For some apps, Certificate Pinning may be impossible to do. If your app allows users to enter in their own domain names to connect to services, then you have no opportunity to embed that certificate. However, if your app is intended to connect to a known server, or set of servers, you have all the information you need to guarantee that client is indeed talking directly to the server and without a man in the middle eavesdropping. Details and code snippets can be found at https://developer.android.com/training/articles/security-ssl.
The evidence table provides the endpoint the data was sent to or from, as well as the payload the data was included in.
Risk and Regulatory Information
Severity: high CVSS: 7.6
Application
See more detail in the NowSecure Report