Link Search Menu Expand Document

Insufficient Transport Layer Security in Android

Description

Similar to the strings and constants embedded in a mobile application, the network communications that an application performs are not safe from eavesdroppers. For this reason, communication between apps and external services (e.g., an API server) must happen over a secure channel.

Impact

The adverse impacts resulting from the use of HTTP instead of HTTPS for sensitive communication range from sensitive information leakage to conversations being hijacked by potential attackers sitting between the victim and the server.

Prevention

Application developers should collaborate with their back-end colleagues to ensure secure communication is adequately implemented in their apps. Additionally, the latter team should also make sure that no endpoint is served using HTTP as a form of additional safeguard.

References

Security with HTTPS and SSL.