NowSecure static analysis: Outdated Version of Network Library Potentially Exposes Network Traffic to Interception and Modification

[lcimeni]

Summary

The application was found to be using a vulnerable version of the OkHttp library. This indicates that an attacker could bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers on the same local or upstream network to bypass certificate pinning and potentially intercept and modify network data. "

Recommendation

Update the version of OkHttp used in the application to 4+.

Risk and Regulatory Information

Severity: medium CVSS: 5.9

• CWE: 295
• FISMA LOW: SC-13 CRYPTOGRAPHIC PROTECTION, AC-22 PUBLICLY ACCESSIBLE CONTENT
• FISMA MED: SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
• Risk OWASP: Mobile Top 10: M3-Insecure Communication
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Am.Int.7
• PCI: May violate requirement 4.1
• HIPAA: May violate §164.312(e)(1): Standard: Transmission security.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
• CWE Top 25: 2019 CWE Top 25 Most Dangerous Software Errors

Application

• Platform: android
• Package: com.google.android.apps.docs.editors.slides

See more detail in the NowSecure Report