Cleartext communications

OWASP category: MASVS-NETWORK: Network Communication

Overview

Allowing cleartext network communications in an Android app means that anyone monitoring network traffic can see and manipulate the data that is being transmitted. This is a vulnerability if the transmitted data includes sensitive information such as passwords, credit card numbers, or other personal information.

Regardless of if you are sending sensitive information or not, using cleartext can still be a vulnerability as cleartext traffic can also be manipulated through network attacks such as ARP or DNS poisoning, thus potentially enabling attackers to influence the behavior of an app.

Impact

When an Android application sends or receives data in cleartext over a network, anyone who is monitoring the network can intercept and read that data. If this data includes sensitive information such as passwords, credit card numbers, or personal messages, this can lead to identity theft, financial fraud, and other serious problems.

For example, an app transmitting passwords in cleartext could expose these credentials to a malicious actor intercepting the traffic. This data could then be used to gain unauthorized access to the user's accounts.

Risk: Unencrypted communication channels

Transmitting data over unencrypted communication channels exposes the data shared between the device and the application endpoints. Said data can be intercepted and potentially modified by an attacker.

Mitigations

Data should be sent over encrypted communication channels. Secure protocols should be used as an alternative to protocols that don't offer encryption capabilities.

Specific Risks

This section gathers risks that require non-standard mitigation strategies or were mitigated at certain SDK level and are here for completeness.

Risk: HTTP

The guidance in this section applies only to apps that target Android 8.1 (API level 27) or earlier. Starting with Android 9 (API level 28), cleartext support is disabled by default.

Mitigations

Use the NetworkSecurityConfig.xml feature to opt-out of cleartext traffic:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">secure.example.com</domain>
    </domain-config>
</network-security-config>

This option helps prevent accidental regressions in apps due to changes in URLs provided by external sources such as backend servers.

Risk: FTP

Using the FTP protocol to exchange files between devices presents several risks, the most significant being the lack of encryption over the communication channel. Safer alternatives such as SFTP or HTTPS should be used instead.

The guidance in this section applies only to apps that target Android 8.1 (API level 27) or earlier. Starting with Android 9 (API level 28), cleartext support is disabled by default.

Mitigations

Use HTTPS

This protocol encrypts the data in transit. Additional measures should be taken into consideration when using this kind of file exchange protocol:

• Authentication – Users should authenticate themselves using secure mechanisms. Basic authentication is generally discouraged, as the credentials are not protected and are sent in every request, widening the risk of compromise.
• Authorization – Users should be restricted to access only intended resources.
• Ensure that a strong protocol and cipher suites are used, following security best practices. At the date of writing, using at least the TLSv1.3 protocol is recommended.
• On Android 9 and later, cleartext HTTP communications are disabled by default, automatically enforcing HTTPS.

Resources

• HTTP Over TLS RFC
• HTTP Authentication Schemes
• Mozilla web security recommendations
• Mozilla SSL recommended configuration generator
• Mozilla Server Side TLS recommendations

Use SFTP

This protocol encrypts the data in transit. Additional measures should be taken into consideration when using this kind of file exchange protocol:

• SFTP supports different kinds of authentication. Instead of password-based authentication, the public key authentication method should be used. Such keys should be securely created and stored, Android Keystore is recommended for this purpose.
• Ensure that supported ciphers follow security best practices.

Resources

• OpenSSH main manual page
• SSH RFC, which details the configurations and schemes that can be used for this protocol
• Mozilla OpenSSH security recommendations
• Android Keystore system

Resources

• Cleartext Traffic Opt-out for Network Security Configuration
• HTTP Over TLS RFC
• HTTP Authentication Schemes
• Mozilla web security recommendations
• Mozilla SSL recommended configuration generator
• Mozilla Server Side TLS recommendations
• OpenSSH main manual page
• SSH RFC, which details the configurations and schemes that can be used for this protocol
• Mozilla OpenSSH security recommendations
• Android Keystore system