DerScanner
Home / Vulnerability Database / Android : Unsafe SSL socket
Android

Android : Unsafe SSL socket

Classification

OWASP Mobile Top 10 2014
M3-Insufficient Transport Layer Protection
OWASP Mobile Top 10 2016
M3-Insecure Communication
PCI DSS 4.0
4.2.16.2.4
HIPAA
§164.312 (e)(1)

Overview

The application creates a socket without checking the SSL parameters. This makes the application vulnerable to man in the middle attacks.

The createSocket() method with a parameter of the InetAddress type does not provide domain verification. The getInsecure() method returns the socket without any SSL checks. In both cases there is a risk of valuable data confidentiality loss.

References

  1. OWASP Top 10 2010-A9-Insufficient Transport Layer Protection
  2. OWASP Mobile Top 10 2016-M3-Insecure Communication
  3. SSLSocketFactory - developer.android.com
MEDIUM

DerScanner Severity Score

Do you want to fix Android : Unsafe SSL socket in your application?

See also

Android

Android : Debug mode on

Android

Android : Error handling: generic exception

Android

Android : HTTP usage