Insecure Transport Configuration

ID

kotlin.android_insecure_transport_configuration

Severity

high

Resource

Misconfiguration

Language

Kotlin

Tags

CWE:311, CWE:319, MASVS:MSTG-NETWORK-1, NIST.SP.800-53, OWASP:2021:A2, OWASP:2021:A5, PCI-DSS:4.1, android

Description

Applications that allow cleartext (HTTP) traffic expose sensitive data to interception and man-in-the-middle attacks. This detector identifies Android applications configured to permit unencrypted network connections.

Rationale

This detector checks for insecure transport configurations through:

  • android:usesCleartextTraffic="true" in AndroidManifest.xml

  • cleartextTrafficPermitted="true" in Network Security Configuration

  • Insecure base-config or domain-config settings

Starting with Android 9 (API level 28), cleartext traffic is disabled by default. However, applications can explicitly enable it, creating security vulnerabilities.

HTTP traffic is transmitted in plaintext and can be:

  • Intercepted: Attackers on the same network can read all transmitted data

  • Modified: Man-in-the-middle attackers can alter requests and responses

  • Replayed: Captured requests can be resent to perform unauthorized actions

This is particularly critical for applications handling:

  • Authentication credentials (usernames, passwords, tokens)

  • Payment information (PCI-DSS requires encryption in transit)

  • Personal data (GDPR, HIPAA compliance)

  • Business-critical information

Even if backend servers support HTTPS, enabling cleartext traffic allows attackers to downgrade connections to HTTP or intercept traffic on unsecured networks (public Wi-Fi, compromised routers).

Remediation

Remove Cleartext Traffic Permission

AndroidManifest.xml - Remove or set to false:

<application
    android:usesCleartextTraffic="false"  <!-- Explicitly disable -->
    ...>
</application>

Configure Network Security

For Android 7.0+ (API 24), use Network Security Configuration to enforce HTTPS:

res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!-- Disable cleartext globally -->
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

AndroidManifest.xml:

<application
    android:networkSecurityConfig="@xml/network_security_config"
    ...>
</application>

Allow Cleartext for Specific Domains (If Required)

If cleartext is absolutely necessary for specific domains (e.g., local development, legacy systems), restrict it using domain-config:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!-- Disable cleartext by default -->
    <base-config cleartextTrafficPermitted="false" />

    <!-- Allow only for specific domains -->
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="false">localhost</domain>
        <domain includeSubdomains="false">10.0.2.2</domain> <!-- Android emulator -->
    </domain-config>
</network-security-config>

Never enable cleartext traffic for production APIs or servers. Always use HTTPS for production endpoints.

Update Code to Use HTTPS

Ensure all network connections use HTTPS URLs:

// Insecure - HTTP
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
    .url("http://api.example.com/data")  // Vulnerable
    .build();

// Secure - HTTPS
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
    .url("https://api.example.com/data")  // Secure
    .build();

Configuration

This detector allows configuring the domains that are allowed to use cleartext, perhaps for testing / debugging purposes. Use the allowedDomains property:

properties:
  # Domains with allowed cleartext communication
  allowedDomains:
    - localhost
    - 127.0.0.1

References