Skip to content
Last updated: June 22, 2025

MASTG-TEST-0285: Outdated Android Version Allowing Trust in User-Provided CAs

Overview

This test evaluates whether an Android app implicitly trusts user-added CA certificates by default, which is the case for apps that can be installed to devices running API level 23 or lower.

Those apps rely on the default Network Security Configuration that trusts both system and user-installed Certificate Authorities (CAs). Such trust can expose the app to MITM attacks, as malicious CAs installed by users could intercept secure communications.

Steps

  1. Obtain the AndroidManifest.xml ( Obtaining Information from the AndroidManifest).
  2. Read the value of the minSdkVersion attribute from the <uses-sdk> element.

Observation

The output contains the value of minSdkVersion.

Evaluation

The test case fails if minSdkVersion is less than 24.