MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic
Overview¶
Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the default Network Security Configuration) but there are multiple ways in which an application can still send it:
- AndroidManifest.xml: Setting the
android:usesCleartextTraffic
attribute of the<application>
tag. Note that this flag is ignored in case the Network Security Configuration is configured. - Network Security Configuration: Setting the
cleartextTrafficPermitted
attribute totrue
on<base-config>
or<domain-config>
elements.
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Obtain the AndroidManifest.xml.
- Obtain the Network Security Configuration.
- Read the value of
usesCleartextTraffic
from the AndroidManifest.xml. - Read the value of
cleartextTrafficPermitted
from the NSC<base-config>
element. - Read the value of
cleartextTrafficPermitted
from the NSC<domain-config>
elements.
Observation¶
The output contains a list of configurations potentially allowing for cleartext traffic.
Evaluation¶
The test case fails if cleartext traffic is permitted. This can happen if any of the following is true:
- The AndroidManifest sets
usesCleartextTraffic
totrue
and there's no NSC. - The NSC sets
cleartextTrafficPermitted
totrue
in the<base-config>
. - The NSC sets
cleartextTrafficPermitted
totrue
in any<domain-config>
.
Note: The test doesn't fail if the AndroidManifest sets usesCleartextTraffic
to true
and there's a NSC, even if it only has an empty <network-security-config>
element. For example:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
</network-security-config>