Why is this important?
Ensuring that the data in transit is secured between the mobile applications and the backend is one of the most fundamental security requirements. If this security control is not in place then all bets are off and attackers have many ways to attack your users.
Check out this video for a high-level explanation:
Fixing Insecure Network Communication
Option A: Secure the TrustManager
SSL/TLS certificate can be difficult to manage across environments. Which may result in insecure implementations making it all the way to a production environment. One example that can be found frequently are empty TrustManager implementations are often used to connect to a host that is not signed by a root certificate authority. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate.
A TrustManager allowing specific certificates (based on a TrustStore for example) should be built. More information about security with HTTPS and SSL can be found here.
Option B: Enforce TLS in WebView
Insecure WebView implementation, where WebView ignores SSL Certificate errors and accept any SSL Certificate can lead to Man-in-the-middle attacks. More information can be found here.
Option C: Rely on secure TLS versions
SSL has been considered insecure and it is recommended to switch to TLS v1.3.
Look for patterns like:
SSLContext.getInstance("SSL3"): This uses the insecure SSL version 3, use
new DefaultHttpClient(): This doesn't support
TLvS1.2or above, use more secure client, as described here