A remote attacker with access to the local or upstream network as the user could use network monitoring software, such as Wireshark, to observe and modify the data.
Steps to Reproduce
Use a packet interception and analysis tool, such as Wireshark, on your testing network to identify unencrypted network traffic that may contain sensitive information.
NowSecure's test for this finding involves capturing HTTP traffic between an app running on a physical device and servers. The resulting HTTP traffic is examined for the presence of credential information which results in a list of credentials leaked to servers over insecure HTTP communications.
Business Impact
The app is not encrypting sensitive information being sent over the internet. A malicious actor could remotely see and/or modify the sensitive data coming to and from the endpoints listed, potentially affecting many users at once. Depending on the type of data being transmitted insecurely, this vulnerability could lead to exposure of sensitive personal data and/or intellectual property.
Remediation Resources
Recommended Fix
Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, and/or other sensitive data is going to be communicated to a backend API or web service.
Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.
For applications that must include compromised Certificate Authorities and experience complex phishing attacks against their users, additional security controls may be necessary to provide network protections. One such approach is to use certificate pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate pinning ensures that the client checks the server's certificate against a known copy of that certificate. Bundling the server's certificate inside the application and ensuring any SSL/TLS requests first validate that the server's certificate exactly matches the bundle's certificate is a method of accomplishing certificate pinning.
For some apps, certificate pinning may be impossible to perform. If the app allows users to enter in their own domain names to connect to services, then no opportunity exists to embed a certificate. However, if the app is intended to connect to a known server or set of servers, all of the information is available to guarantee that the client is indeed talking directly to the server and without a man in the middle eavesdropping. Please note that certificate pinning may not be suitable for organizations who can not control the server side certificate used in TLS validation or are not able to perform the certificate rotations in a timely manner to accommodate certificate expiration requirements.
Certificate transparency is an alternative to certificate pinning that can also be used to accomplish similar security protections without the same operational work. Certificate transparency is used to audit that a certificate has been issued legitimately by a certificate authority. This method prevents scenarios where a certificate was issued to a malicious actor of a domain the attacker does not own. Additional information can be found at https://github.com/babylonhealth/certificate-transparency-android.
Code Samples
Bad Code Sample (.kotlin)
val url = URL("http://examplesearchengine.com/?q=sensitive+query+data")
val urlConnection: URLConnection = url.openConnection()
val inputStream: InputStream = urlConnection.getInputStream()
copyInputStreamToOutputStream(inputStream, System.out)
Good Network Security Configuration Example (.xml)
Finding Description
Phone Number was intercepted over HTTP traffic.
A remote attacker with access to the local or upstream network as the user could use network monitoring software, such as Wireshark, to observe and modify the data.
Steps to Reproduce
Use a packet interception and analysis tool, such as Wireshark, on your testing network to identify unencrypted network traffic that may contain sensitive information.
NowSecure's test for this finding involves capturing HTTP traffic between an app running on a physical device and servers. The resulting HTTP traffic is examined for the presence of credential information which results in a list of credentials leaked to servers over insecure HTTP communications.
Business Impact
The app is not encrypting sensitive information being sent over the internet. A malicious actor could remotely see and/or modify the sensitive data coming to and from the endpoints listed, potentially affecting many users at once. Depending on the type of data being transmitted insecurely, this vulnerability could lead to exposure of sensitive personal data and/or intellectual property.
Remediation Resources
Recommended Fix
Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, and/or other sensitive data is going to be communicated to a backend API or web service.
Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.
For applications that must include compromised Certificate Authorities and experience complex phishing attacks against their users, additional security controls may be necessary to provide network protections. One such approach is to use certificate pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate pinning ensures that the client checks the server's certificate against a known copy of that certificate. Bundling the server's certificate inside the application and ensuring any SSL/TLS requests first validate that the server's certificate exactly matches the bundle's certificate is a method of accomplishing certificate pinning.
For some apps, certificate pinning may be impossible to perform. If the app allows users to enter in their own domain names to connect to services, then no opportunity exists to embed a certificate. However, if the app is intended to connect to a known server or set of servers, all of the information is available to guarantee that the client is indeed talking directly to the server and without a man in the middle eavesdropping. Please note that certificate pinning may not be suitable for organizations who can not control the server side certificate used in TLS validation or are not able to perform the certificate rotations in a timely manner to accommodate certificate expiration requirements.
Details and code snippets can be found at https://developer.android.com/training/articles/security-ssl.
Certificate transparency is an alternative to certificate pinning that can also be used to accomplish similar security protections without the same operational work. Certificate transparency is used to audit that a certificate has been issued legitimately by a certificate authority. This method prevents scenarios where a certificate was issued to a malicious actor of a domain the attacker does not own. Additional information can be found at https://github.com/babylonhealth/certificate-transparency-android.
Code Samples
Bad Code Sample (.kotlin)
Good Network Security Configuration Example (.xml)
Good Code Sample (.kotlin)
Additional Guidance
Risk and Regulatory Information
Severity: high CVSS: 7.1
Application
See more detail in the NowSecure Report