Network Communication / Attribute Usescleartexttraffic Set

AndroidMobile App

Description

Attribute usesCleartextTraffic set is a type of IT vulnerability that is classified as a Network Communication vulnerability. This vulnerability is present in both Android and Mobile App systems, as well as in other similar systems. According to the CWE/SANS TOP 25 Most Dangerous Software Errors directory, this vulnerability occurs when an application or system fails to properly utilize secure communication channels, allowing for the transmission of data in plaintext. This can lead to an attacker being able to intercept and read any data sent via plaintext, thus compromising the security of the system. (CWE-319)

Risk

The risk of this vulnerability is high, as it can lead to a complete compromise of the system. It is possible for an attacker to access confidential information, such as passwords and credit card numbers, as well as to modify the code of the system in order to gain control of it. Furthermore, this vulnerability can be exploited remotely, allowing for attackers to gain access to the system from a distance. (OWASP Testing Guide: A3-Sensitive Data Exposure)

Solution

The best solution to this vulnerability is to ensure that all communication within the system is encrypted. This can be accomplished by using secure protocols such as TLS or SSL, which are designed to ensure that all data transmitted is encrypted and thus inaccessible to attackers. Additionally, it is important to ensure that all parts of the system are properly configured and updated to use the latest version of the secure protocols.

Example

android:usesCleartextTraffic="true"

This code is an example of the attribute usesCleartextTraffic set to true, which allows for the transmission of data in plaintext. By setting this attribute to false, the system can be configured to use secure protocols such as TLS or SSL, thus preventing attackers from being able to intercept and read the data being transmitted.

Related incidents

  1. In 2019, the popular dating app Tinder was found to be vulnerable to the usesCleartextTraffic set vulnerability. This allowed for attackers to intercept and read any data sent via the app, including messages and photos. (https://www.zdnet.com/article/tinder-vulnerable-to-man-in-the-middle-attack-allowing-sensitive-data-theft/)

  2. In 2019, the mobile app Truecaller was also vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/truecaller-flaw-could-have-exposed-data-of-millions-of-android-users/)

  3. In 2018, the mobile game Pokémon Go was found to be vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/pokemon-go-vulnerable-to-man-in-the-middle-attacks-security-researchers-find/)

  4. In 2017, the mobile game Clash of Clans was found to be vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/clash-of-clans-vulnerable-to-man-in-the-middle-attacks/)

  5. In 2016, the mobile banking app Barclays was found to be vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/barclays-android-app-vulnerable-to-man-in-the-middle-attacks/)

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.