Network Communication / Secure Network Configuration Settings

Secure Network Configuration Settings

Description

Secure Network Configuration Settings is a vulnerability that occurs when mobile apps or devices, such as those running Android, fail to properly configure the network settings. According to the Common Weakness Enumeration (CWE) directory, this vulnerability is classified under CWE-327, which is defined as "Inadequate Encryption Strength". The Open Web Application Security Project (OWASP) Testing Guide also recognizes this vulnerability, stating that it is a risk when “Sensitive data is sent over the network without adequate encryption strength.” This vulnerability can lead to the exposure of sensitive data, such as passwords, financial information, or other credentials.

Risk

The risk with this vulnerability is that malicious actors can intercept and access sensitive data that is transmitted over the network. This could put users at risk of identity theft, financial loss, or other malicious attacks.

Solution

The solution to this vulnerability is to ensure that all network configurations are secure and that all data is encrypted. This can be done by using encryption protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). Additionally, devices and apps should be configured to only use secure networks and should not send data over unsecured networks.

Example

The following code is an example of a secure network configuration in an Android app. It sets the connection to use TLS 1.2 and requires that the server be authenticated.

SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null, null, null);
SSLSocketFactory socketFactory = context.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
    @Override
    public boolean verify(String s, SSLSession sslSession) {
        return s.equals("<server_address>");
    }
});