Last updated: June 27, 2025

MASTG-DEMO-0050: Identifying Insecure Dependencies in Android Studio

Download MASTG-DEMO-0050 APK Open MASTG-DEMO-0050 Folder Build MASTG-DEMO-0050 APK

Sample

plugins {
    id("com.android.application")
    id("org.jetbrains.kotlin.android")
    id("org.owasp.dependencycheck") version "10.0.4" // dependencyCheck Plugin
}

// dependencyCheck Configuration
dependencyCheck {

    formats = listOf("HTML", "XML", "JSON") // Generate reports in HTML, JSON and XML format
    nvd {
        apiKey = "<YOUR-API-KEY>" // Set the NVD API key
        delay = 16000
    }

}

android {
    namespace = "org.owasp.mastestapp"
    compileSdk = 34

    defaultConfig {
        applicationId = "org.owasp.mastestapp"
        minSdk = 29
        targetSdk = 34
        versionCode = 1
        versionName = "1.0"

        testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
        vectorDrawables {
            useSupportLibrary = true
        }
    }

    buildTypes {
        release {
            isMinifyEnabled = false
            proguardFiles(
                getDefaultProguardFile("proguard-android-optimize.txt"),
                "proguard-rules.pro"
            )
        }
    }
    compileOptions {
        sourceCompatibility = JavaVersion.VERSION_1_8
        targetCompatibility = JavaVersion.VERSION_1_8
    }
    kotlinOptions {
        jvmTarget = "1.8"
    }
    buildFeatures {
        compose = true
    }
    composeOptions {
        kotlinCompilerExtensionVersion = "1.5.1"
    }
    packaging {
        resources {
            excludes += "/META-INF/{AL2.0,LGPL2.1}"
        }
    }
}

dependencies {

    implementation("androidx.core:core-ktx:1.12.0")
    implementation("androidx.lifecycle:lifecycle-runtime-ktx:2.7.0")
    implementation("androidx.activity:activity-compose:1.8.2")
    implementation(platform("androidx.compose:compose-bom:2024.04.00"))
    implementation("androidx.compose.ui:ui")
    implementation("androidx.compose.ui:ui-graphics")
    implementation("androidx.compose.ui:ui-tooling-preview")
    implementation("androidx.compose.material3:material3")
    testImplementation("junit:junit:4.13.2")
    androidTestImplementation("androidx.test.ext:junit:1.1.5")
    androidTestImplementation("androidx.test.espresso:espresso-core:3.5.1")
    androidTestImplementation(platform("androidx.compose:compose-bom:2024.04.00"))
    androidTestImplementation("androidx.compose.ui:ui-test-junit4")
    debugImplementation("androidx.compose.ui:ui-tooling")
    debugImplementation("androidx.compose.ui:ui-test-manifest")
    implementation("org.jetbrains.kotlin:kotlin-reflect:1.9.10")
    implementation ("com.squareup.okhttp3:okhttp:4.9.1") // vulnerable library

}

Steps

Execute gradle in Android Studio to trigger dependency-check.

./gradlew dependencyCheckAnalyze

Observation

The scan identified 303 unique dependencies, four of which are vulnerable, as well as five vulnerabilities. More vulnerabilities may be found over time, so this number may increase. If you have used the suppress.xml file, there are 57 suppressed vulnerabilities.

...
[redacted for readability]
...
        {
            "isVirtual": false,
            "fileName": "okhttp-4.9.1.jar",
            "filePath": "\/Users\/sushi2k\/.gradle\/caches\/modules-2\/files-2.1\/com.squareup.okhttp3\/okhttp\/4.9.1\/51215279c3fe472c59b6b7dd7491e6ac2e28a81b\/okhttp-4.9.1.jar",
            "md5": "018ce5d28ab7958a1f0bb93b35215ef6",
            "sha1": "51215279c3fe472c59b6b7dd7491e6ac2e28a81b",
            "sha256": "6afdd8f35f4eb60df965c290fa3acf29443fa986545113d0729b8461f6571f8f",
            "description": "Square\u2019s meticulous HTTP client for Java and Kotlin.",
            "license": "The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt",
...
[redacted for readability]
...
            "packages": [
                {
                    "id": "pkg:maven\/com.squareup.okhttp3\/[email protected]",
                    "confidence": "HIGH",
                    "url": "https:\/\/ossindex.sonatype.org\/component\/pkg:maven\/com.squareup.okhttp3\/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=12.1.1"
                }
            ],
             "vulnerabilityIds": [
                {
                    "id": "cpe:2.3:a:squareup:okhttp:4.9.1:*:*:*:*:*:*:*",
                    "confidence": "HIGHEST",
                    "url": "https:\/\/nvd.nist.gov\/vuln\/search\/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Asquareup&cpe_product=cpe%3A%2F%3Asquareup%3Aokhttp&cpe_version=cpe%3A%2F%3Asquareup%3Aokhttp%3A4.9.1"
                },
                {
                    "id": "cpe:2.3:a:squareup:okhttp3:4.9.1:*:*:*:*:*:*:*",
                    "confidence": "HIGHEST",
                    "url": "https:\/\/nvd.nist.gov\/vuln\/search\/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Asquareup&cpe_product=cpe%3A%2F%3Asquareup%3Aokhttp3&cpe_version=cpe%3A%2F%3Asquareup%3Aokhttp3%3A4.9.1"
                }
            ],
            "vulnerabilities": [
                {
                    "source": "OSSINDEX",
                    "name": "CVE-2021-0341",
                    "severity": "HIGH",
                    "cvssv3": {
                        "baseScore": 7.5,
                        "attackVector": "NETWORK",
                        "attackComplexity": "LOW",
                        "privilegesRequired": "NONE",
                        "userInteraction": "NONE",
                        "scope": "UNCHANGED",
                        "confidentialityImpact": "HIGH",
                        "integrityImpact": "NONE",
                        "availabilityImpact": "NONE",
                        "baseSeverity": "HIGH",
                        "version": "3.1"
                    },
                    "cwes": [
                        "CWE-295"
                    ],
                    "description": "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069\n\nSonatype's research suggests that this CVE's details differ from those defined at NVD. See https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2021-0341 for details",
                    "notes": "",
                    "references": [
                        {
                            "source": "OSSIndex",
                            "url": "https:\/\/source.android.com\/security\/bulletin\/2021-02-01#android-runtime",
                            "name": "https:\/\/source.android.com\/security\/bulletin\/2021-02-01#android-runtime"
                        },
                        {
                            "source": "OSSINDEX",
                            "url": "https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2021-0341?component-type=maven&component-name=com.squareup.okhttp3%2Fokhttp&utm_source=dependency-check&utm_medium=integration&utm_content=12.1.1",
                            "name": "[CVE-2021-0341] CWE-295: Improper Certificate Validation"
                        },
                        {
                            "source": "OSSIndex",
                            "url": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2021-0341",
                            "name": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2021-0341"
                        },
                        {
                            "source": "OSSIndex",
                            "url": "https:\/\/github.com\/square\/okhttp\/pull\/6353",
                            "name": "https:\/\/github.com\/square\/okhttp\/pull\/6353"
                        }
                    ],
                    "vulnerableSoftware": [
                        {
                            "software": {
                                "id": "cpe:2.3:a:com.squareup.okhttp3:okhttp:4.9.1:*:*:*:*:*:*:*",
                                "vulnerabilityIdMatched": "true"
                            }
                        }
                    ]
                },
                {
                    "source": "NVD",
                    "name": "CVE-2023-0833",
                    "severity": "MEDIUM",
                    "cvssv3": {
                        "baseScore": 5.5,
                        "attackVector": "LOCAL",
                        "attackComplexity": "LOW",
                        "privilegesRequired": "LOW",
                        "userInteraction": "NONE",
                        "scope": "UNCHANGED",
                        "confidentialityImpact": "HIGH",
                        "integrityImpact": "NONE",
                        "availabilityImpact": "NONE",
                        "baseSeverity": "MEDIUM",
                        "exploitabilityScore": "1.8",
                        "impactScore": "3.6",
                        "version": "3.1"
                    },
                    "cwes": [
                        "CWE-209"
                    ],
                    "description": "A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.",
                    "notes": "",
...
[redacted for readability]
...

Evaluation

Due to the number of vulnerabilities, the dependency-check report can be lengthy and can contain false positives. Review each of the reported instances. The dependency okhttp-4.9.1.jar added in the build.gradle.kts has known vulnerabilities and should be updated to the latest version.