Skip to main content

Insecure Network Communication

Why is this important?

Ensuring that the data in transit is secured between the mobile applications and the backend is one of the most fundamental security requirements. If this security control is not in place then all bets are off and attackers have many ways to attack your users.

Check out this video for a high-level explanation:

Insufficient Transport Layer Protection

Fixing Insecure Network Communication

Option A: Secure the TrustManager

SSL/TLS certificate can be difficult to manage across environments. Which may result in insecure implementations making it all the way to a production environment. One example that can be found frequently are empty TrustManager implementations are often used to connect to a host that is not signed by a root certificate authority. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate.

A TrustManager allowing specific certificates (based on a TrustStore for example) should be built. More information about security with HTTPS and SSL can be found here.

Option B: Enforce TLS in WebView

Insecure WebView implementation, where WebView ignores SSL Certificate errors and accept any SSL Certificate can lead to Man-in-the-middle attacks. More information can be found here.

Option C: Rely on secure TLS versions

SSL has been considered insecure and it is recommended to switch to TLS v1.3.

Look for patterns like:

  • SSLContext.getInstance("SSL3"): This uses the insecure SSL version 3, use TLSv1.3 instead.
  • new DefaultHttpClient(): This doesn't support TLvS1.2 or above, use more secure client, as described here

More information: