Skip to content

Insecure Network Configuration Settings

Insecure Network Configuration Settings

Description

Android Network Security Configuration enables a declarative setting of the application network security.

When Android Network Security Configuration is missing or configured in an insecure way, it can leave application vulnerable to MiTM.

Recommendation

Android Network Security Configuration is an XML file that enables a declarative setting of the application network security.

Add Network security configuration to your application:

1- Create a new XML file in your app's res/xml directory. Name it network_security_config.xml, or any other suitable name. 2- Define Security Configurations, see examples below 3- Apply Configuration to the Manifest:

<application
        android:networkSecurityConfig="@xml/network_security_config"
        <!-- Other attributes -->
        >
        <!-- Other configurations -->
</application>

Network security configuration examples

  • Custom Certificate Authority with support for debug only settings
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="@raw/debug_cas"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>
  • Declarative opt-out for clear-text traffic
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">secure.example.com</domain>
    </domain-config>
</network-security-config>
  • Declarative setting of certificate pinning keys
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <pin-set expiration="2018-01-01">
            <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
            <!-- backup pin -->
            <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
        </pin-set>
    </domain-config>
</network-security-config>

Standards

  • OWASP_MASVS_L1:
    • MSTG_NETWORK_1
  • OWASP_MASVS_v2_1:
    • MASVS_NETWORK_1
  • OWASP_MASVS_L2:
    • MSTG_NETWORK_1
  • PCI_STANDARDS:
    • REQ_1_2
    • REQ_2_2