Skip to end of metadata
Go to start of metadata

Under Construction

This guideline is under construction. 

 

Loopback, that is, connecting network communications to localhost ports, should not be used when handling sensitive data. The localhost ports are accessible by other applications on the device, so their use may result in sensitive data being revealed. Instead, a secure Android IPC mechanism should be used, such as the HttpsURLConnection class or the SSLSocket class.

Similarly, secure communications should never be bound to the INADDR_ANY port since this would result in the application being able to receive requests form anywhere.

For more information on these issues, see: [Android Security] section Using Networking.

Noncompliant Code Example

This noncompliant code example shows an application that binds to a localhost network port to send sensitive data.

TBD

Another application could intercept the communication and access the sensitive data

Compliant Solution

In this compliant solution the application uses a secure network connection.

TBD

Risk Assessment

Using localhost or the INADDR_ANY port when handling sensitive data could result in the data being revealed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD23-J

Medium

Probable

Medium

P8

L2

Automated Detection

Automatic detection of the use of localhost or the INADDR_ANY port is straightforward. However, it may not be possible to automatically detect whether this use compromises any sensitive data.

Bibliography