MASTG-TEST-0286: Network Security Configuration Allowing Trust in User-Provided CAs
Overview¶
This test evaluates whether an Android app explicitly trusts user-added CA certificates by including <certificates src="user"/> in its Network Security Configuration. Even though starting with Android 7.0 (API level 24) apps no longer trust user-added CAs by default, this configuration overrides that behavior.
Such trust can expose the application to MITM attacks, as malicious CAs installed by users could intercept secure communications.
Steps¶
- Obtain the AndroidManifest.xml ( Obtaining Information from the AndroidManifest).
- Check if an
android:networkSecurityConfigattribute is set in the<application>tag. - Inspect the referenced Network Security Configuration file, and extract all uses of
<certificates src="user" />.
Observation¶
The output contains all the <trust-anchors> from the Network Security Configuration file along with any defined <certificates> entries, if present.
Evaluation¶
The test case fails if <certificates src="user" /> has been defined as part of the <trust-anchors> in the Network Security Configuration file.