Skip to content

MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic

Overview

Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the default Network Security Configuration) but there are multiple ways in which an application can still send it:

  • AndroidManifest.xml: Setting the android:usesCleartextTraffic attribute of the <application> tag. Note that this flag is ignored in case the Network Security Configuration is configured.
  • Network Security Configuration: Setting the cleartextTrafficPermitted attribute to true on <base-config> or <domain-config> elements.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Obtaining Information from the AndroidManifest to obtain the AndroidManifest.xml.
  3. Use Analyzing the AndroidManifest to read the value of android:usesCleartextTraffic and check if android:networkSecurityConfig is present.
  4. Use Analyzing the Network Security Configuration to read the values of cleartextTrafficPermitted in the <base-config> and <domain-config> elements from the Network Security Configuration file.

Observation

The output should contain a list of configurations potentially allowing for cleartext traffic.

Evaluation

The test case fails if cleartext traffic is permitted. This can happen if any of the following is true:

  1. The AndroidManifest sets usesCleartextTraffic to true and there's no NSC.
  2. The NSC sets cleartextTrafficPermitted to true in the <base-config>.
  3. The NSC sets cleartextTrafficPermitted to true in any <domain-config>.

Note

The test doesn't fail if the AndroidManifest sets usesCleartextTraffic to true and there's a NSC, even if it only has an empty <network-security-config> element. For example:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
</network-security-config>