Use of an insecure Bluetooth connection

Use of an insecure Bluetooth connection

Risk: medium

Description

The app uses an insecure Bluetooth connection, with encryption switched off. An attacker who is in the physical vicinity of connected devices can use a Man in the Middle attack to intercept and/or modify transmitted data.

Recommendation

It is recommended that you use secure means of connection and information exchange with Bluetooth, which is possible with the createRfcommSocketToServiceRecord, listenUsingRfcommWithServiceRecord and similar methods.

Links

• CWE-319: Cleartext Transmission of Sensitive Information
• BLE Security: Bridging the gap

Standards

• OWASP_MASVS_L1:
  • MSTG_NETWORK_1
• OWASP_MASVS_L2:
  • MSTG_NETWORK_1
• GDPR:
  • ART_5
  • ART_32
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_4_2
  • REQ_6_2