Skip to content

MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code

Overview

The Android Network Security Configuration does not provide direct control over specific TLS versions (unlike iOS), and starting with Android 10, TLS v1.3 is enabled by default for all TLS connections.

There are still several ways to enable insecure versions of TLS, including:

Java Sockets

An app can obtain an SSLContext using an insecure TLS protocol by calling SSLContext.getInstance("TLSv1.1") and can also enable specific, potentially insecure, protocol versions using the API call javax.net.ssl.SSLSocket.setEnabledProtocols(String[] protocols).

Third-party Libraries

Some third-party libraries, such as OkHttp, Retrofit or Apache HttpClient, provide custom configurations for TLS protocols. These libraries may allow enabling outdated protocols if not carefully managed:

For example, using ConnectionSpec.COMPATIBLE_TLS in OkHttp (via okhttp3.ConnectionSpec.Builder.connectionSpecs(...)) can lead to insecure TLS versions, like TLS 1.1, being enabled by default in certain versions. Refer to OkHttp's configuration history for details on supported protocols.

The API call okhttp3.ConnectionSpec.Builder.tlsVersions(...) can also be used to set the enabled protocols (OkHttp documentation).

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of all enabled TLS versions in the above mentioned API calls.

Evaluation

The test case fails if any insecure TLS version is directly enabled, or if the app enabled any settings allowing the use of outdated TLS versions, such as okhttp3.ConnectionSpec.COMPATIBLE_TLS.