OWASP category:
MASVS-NETWORK: Network Communication
Overview
Allowing cleartext network communications in an Android app means that anyone
monitoring network traffic can see and manipulate the data that is being
transmitted. This is a vulnerability if the transmitted data includes sensitive
information such as passwords, credit card numbers, or other personal
information.
Regardless of if you are sending sensitive information or not, using cleartext
can still be a vulnerability as cleartext / plaintext HTTP traffic can also be
manipulated through network poisoning attacks such as ARP or DNS poisoning, thus
potentially enabling attackers to influence the behavior of an app.
Impact
When an Android application sends or receives data in cleartext over a network,
anyone who is monitoring the network can intercept and read that data. If this
data includes sensitive information such as passwords, credit card numbers, or
personal messages, this can lead to identity theft, financial fraud, and other
serious problems.
For example, an app transmitting passwords in cleartext could expose these
credentials to a malicious actor intercepting the traffic. This data could then
be used to gain unauthorized access to the user's accounts.
Mitigations
The guidance in this section applies only to apps that target Android 8.1 (API
level 27) or lower. Starting with Android 9 (API level 28), cleartext support is
disabled by default.
Use the
NetworkSecurityConfig.xml
functionality to opt-out of cleartext traffic:
Xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">secure.example.com</domain>
</domain-config>
</network-security-config>
This option helps prevent accidental regressions in apps due to changes in URLs
provided by external sources such as backend servers.
Resources