Skip to content

MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the default Network Security Configuration) but there are multiple ways in which an application can still send it:

  • AndroidManifest.xml: Setting the android:usesCleartextTraffic attribute of the <application> tag. Note that this flag is ignored in case the Network Security Configuration is configured.
  • Network Security Configuration: Setting the cleartextTrafficPermitted attribute to true on <base-config> or <domain-config> elements.

Steps

  1. Reverse engineer the app ( Decompiling Java Code).
  2. Obtain the AndroidManifest.xml.
  3. Obtain the Network Security Configuration.
  4. Read the value of usesCleartextTraffic from the AndroidManifest.xml.
  5. Read the value of cleartextTrafficPermitted from the NSC <base-config> element.
  6. Read the value of cleartextTrafficPermitted from the NSC <domain-config> elements.

Observation

The output contains a list of configurations potentially allowing for cleartext traffic.

Evaluation

The test case fails if cleartext traffic is permitted. This can happen if any of the following is true:

  1. The AndroidManifest sets usesCleartextTraffic to true and there's no NSC.
  2. The NSC sets cleartextTrafficPermitted to true in the <base-config>.
  3. The NSC sets cleartextTrafficPermitted to true in any <domain-config>.

Note: The test doesn't fail if the AndroidManifest sets usesCleartextTraffic to true and there's a NSC, even if it only has an empty <network-security-config> element. For example:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
</network-security-config>