Clear text HTTP request

Clear text HTTP request

Risk: medium

Description

Mobile Applications must use Transport Layer Security (TLS) to provide encryption at the transport layer and ensure the confidentiality and integrity of data in transit. This application does not use SSL/TLS and is vulnerable to traffic interception and modification.

An attacker performing a man-in-the-middle (MITM) attack may:

• Passively intercept the communication to access any sensitive data in transit like usernames, passwords, or credit card number
• Actively inject or remove content to forge and omit information or inject malicious scripts
• Actively redirect the communication to the attacker in the context of the initial trusted party

Recommendation

It is recommended to ensure the use of an encrypted channel for requests transmitting sensitive data. It is, however highly recommended to encrypt all requests made by the application, as the interception and modification of non sensitive requests could be leveraged to access sensitive data.

The encrypted channel should use secure protocols and cipher suites, do not develop custom encryption protocols or algorithms.

Links

• Missing Encryption of Sensitive Data (CWE-311)
• Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection
• Top 10 2013-A6-Sensitive Data Exposure
• Insufficient Transport Layer
• Cleartext Transmission of Sensitive Information (CWE-319)