Android Apk Improper Certificate Validation Default

Description

Detects when Android applications implement unsafe SSL/TLS certificate validation by using default validation settings that accept all certificates. This creates a significant security risk as it could allow man-in-the-middle attacks by accepting invalid or malicious certificates without proper verification.

Weakness:

313 - Insecure service configuration - Certificates

Category: Functionality Abuse

Detection Strategy

• Scans the application's code for implementations of TrustManager that use default certificate validation

• Identifies classes that extend X509TrustManager without proper certificate validation logic

• Detects when the checkServerTrusted() method is implemented with empty or default implementations that don't validate certificates

• Reports a vulnerability when certificate validation is disabled or bypassed through default implementations

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.