Skip to content

MASTG-TEST-0286: Network Security Configuration Allowing Trust in User-Provided CAs

Overview

This test evaluates whether an Android app explicitly trusts user-added CA certificates by including <certificates src="user"/> in its Network Security Configuration which is defined android:networkSecurityConfig attribute is set in the <application> tag. Even though starting with Android 7.0 (API level 24) apps no longer trust user-added CAs by default, this configuration overrides that behavior.

Such trust can expose the application to MITM attacks, as malicious CAs installed by users could intercept secure communications.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Obtaining Information from the AndroidManifest to obtain the AndroidManifest.xml.
  3. Use Analyzing the AndroidManifest to check if the android:networkSecurityConfig attribute is present.
  4. Use Analyzing the Network Security Configuration to extract all uses of <certificates src="user" /> from the Network Security Configuration file.

Observation

The output should contain all the <trust-anchors> from the Network Security Configuration file along with any defined <certificates> entries, if present.

Evaluation

The test case fails if <certificates src="user" /> has been defined as part of the <trust-anchors> in the Network Security Configuration file.

Demos

MASTG-DEMO-0057: Network Security Configuration Allows User-Added Certificates