The application was found to be using a vulnerable version of the OkHttp library. This indicates that an attacker could bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers on the same local or upstream network to bypass certificate pinning and potentially intercept and modify network data. "
Recommendation
Update the version of OkHttp used in the application to 4+.
Summary
The application was found to be using a vulnerable version of the OkHttp library. This indicates that an attacker could bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers on the same local or upstream network to bypass certificate pinning and potentially intercept and modify network data. "
Recommendation
Update the version of OkHttp used in the application to 4+.
Risk and Regulatory Information
Severity: medium CVSS: 5.9
Application
See more detail in the NowSecure Report