MASWE-0050: Cleartext Traffic
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Draft Weakness
This weakness hasn't been created yet and it's in draft. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our guidelines.
Check our GitHub Issues for MASWE-0050
Initial Description or Hints¶
The app sends or receives data over an insecure channel, such as HTTP, FTP, or SMTP. This data can be intercepted and read by an attacker without needing to perform Man-in-the-Middle attacks. The app should use HTTPS, SFTP, or SMTPS instead.
Relevant Topics¶
- exceptions and if justifications are given using the platform provided mechanisms (Secure by Default Configuration).
- Cleartext Traffic allowed in App Network Configuration (usesCleartextTraffic in Android Manifest, cleartextTrafficPermitted in NSC, ATS allowInsecureLoads)
- cleartext in traffic capture
- Usage of HTTP traffic (e.g. HTTP URLs)
- cross-platform framework e.g. Flutter, Xamarin
- use of low-level APIs e.g. SSLSocket on Android or Network on iOS. ATS doesn't apply there. Prefer high-level API calls such as Android HttpsURLConnection/iOS URLSession.
- configs./ input params, logic e.g. on third-party or low-level frameworks such as SSLSocket on Android or Network on iOS
- Watch Communications
- Peer-to-peer communications (e.g. WiFi-direct, Nearby)
MASTG v1 Coverage¶
Tests¶
MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code MASTG-TEST-0218: Insecure TLS Protocols in Network Traffic