Network Communication / Attribute Usescleartexttraffic Set

AndroidMobile App

Description

Attribute usesCleartextTraffic set is a type of IT vulnerability that is classified as a Network Communication vulnerability. The android:usesCleartextTraffic attribute indicates whether the app intends to use cleartext network traffic, such as cleartext HTTP.

Risk

An unsecured communications channel between an app and any back-end services can expose the data transmitted between them.

Solution

Explicitly set the attribute android:usesCleartextTraffic value to false and define an Android Network Security Config.

Example

android:usesCleartextTraffic="true"

This code is an example of the attribute usesCleartextTraffic set to true, which allows for the transmission of data in plaintext. By setting this attribute to false, the system can be configured to use secure protocols such as TLS or SSL, thus preventing attackers from being able to intercept and read the data being transmitted.

Related Incidents

  1. In 2019, the popular dating app Tinder was found to be vulnerable to the usesCleartextTraffic set vulnerability. This allowed for attackers to intercept and read any data sent via the app, including messages and photos. (https://www.zdnet.com/article/tinder-vulnerable-to-man-in-the-middle-attack-allowing-sensitive-data-theft/)

  2. In 2019, the mobile app Truecaller was also vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/truecaller-flaw-could-have-exposed-data-of-millions-of-android-users/)

  3. In 2018, the mobile game Pokémon Go was found to be vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/pokemon-go-vulnerable-to-man-in-the-middle-attacks-security-researchers-find/)

  4. In 2017, the mobile game Clash of Clans was found to be vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/clash-of-clans-vulnerable-to-man-in-the-middle-attacks/)

  5. In 2016, the mobile banking app Barclays was found to be vulnerable to this vulnerability, allowing for attackers to intercept and read data as well as to access users’ personal information. (https://www.zdnet.com/article/barclays-android-app-vulnerable-to-man-in-the-middle-attacks/)

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.