...
The compliant solution may vary, depending on the actual implementation. For examples of secure implementation such as using a self-signed server certificate, please refer to "Android Application Secure Design/Secure Coding Guidebook", Section 5.4 Communicate by HTTPS.
Risk Assessment
Not properly verifying the server certificate on SSL/TLS may allow apps to connect to an imposter site, while fooling the user into thinking that the user is connected to an intended site. One example of associated risks is that this could expose a user's sensitive data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD19-J | High | Probable | Medium | P12 | L1 |
Automated Detection
It is possible to automatically detect whether an application uses one of the three Android SDK packages named for establishing network connections, and to check if any of the methods from those classes are overriden by the application. It It is not feasible to automatically determine the intent of the app or the or the environment the apps are used in.
Tool | Version | Checker | Description |
|---|
Related Vulnerabilities
- VU#582497 Multiple Android applications fail to properly validate SSL certificates
- JVN#39218538 Pizza Hut Japan Official Order App for Android has a problem whereby it fails to verify SSL server certificates.
- JVN#75084836 Yome Collection for Android has a problem with management of IMEI.
- JVN#68156832 Yafuoku! contains an issue where it fails to verify SSL server certificates.
Related Guidelines
5.4 Communicating via HTTPS |