MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
The Android Network Security Configuration does not provide direct control over specific TLS versions (unlike iOS), and starting with Android 10, TLS v1.3 is enabled by default for all TLS connections.
There are still several ways to enable insecure versions of TLS, including:
Java Sockets¶
An app can obtain an SSLContext using an insecure TLS protocol by calling SSLContext.getInstance("TLSv1.1") and can also enable specific, potentially insecure, protocol versions using the API call javax.net.ssl.SSLSocket.setEnabledProtocols(String[] protocols).
Third-party Libraries¶
Some third-party libraries, such as OkHttp, Retrofit or Apache HttpClient, provide custom configurations for TLS protocols. These libraries may allow enabling outdated protocols if not carefully managed:
For example, using ConnectionSpec.COMPATIBLE_TLS in OkHttp (via okhttp3.ConnectionSpec.Builder.connectionSpecs(...)) can lead to insecure TLS versions, like TLS 1.1, being enabled by default in certain versions. Refer to OkHttp's configuration history for details on supported protocols.
The API call okhttp3.ConnectionSpec.Builder.tlsVersions(...) can also be used to set the enabled protocols (OkHttp documentation).
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Run a static analysis ( Static Analysis on Android) tool on the reverse engineered app targeting calls to APIs setting the TLS protocol.
Observation¶
The output contains a list of all enabled TLS versions in the above mentioned API calls.
Evaluation¶
The test case fails if any insecure TLS version is directly enabled, or if the app enabled any settings allowing the use of outdated TLS versions, such as okhttp3.ConnectionSpec.COMPATIBLE_TLS.