Kotlin Cleartext Connection Spec
Description
Detects the use of unencrypted network communication channels in Kotlin applications. This includes plaintext FTP, SMTP, Telnet connections and TLS/SSL configurations that allow cleartext traffic, which could enable attackers to intercept sensitive data through network monitoring.
Detection Strategy
• Reports when code instantiates insecure network clients like FTPClient, SMTPClient, or TelnetClient that communicate in cleartext
• Identifies ConnectionSpec.Builder configurations that explicitly allow cleartext/unencrypted traffic
• Triggers on both direct instantiation of insecure clients and builder patterns that enable insecure communication
Vulnerable code example
import org.apache.commons.net.ftp.FTPClient
import org.apache.commons.net.telnet.TelnetClient
import org.apache.commons.net.smtp.SMTPClient
fun main() {
// Vulnerable: Uses telnet which transmits data in cleartext
val telnet = TelnetClient()
...✅ Secure code example
import org.apache.commons.net.ftp.FTPSClient
import org.apache.commons.net.smtp.SMTPSClient
import net.schmizz.sshj.SSHClient
import net.schmizz.sshj.transport.verification.KnownHosts
fun main() {
// Secure: Use SSH instead of Telnet for encrypted remote access
val sshClient = SSHClient()...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.