Description

The application does not define an SSLPinning mechanism or configures it insecurely, allowing an attacker to intercept and manipulate the information that travels through the application

Impact

- Intercept data from the app. - Tamper data from the app.

Recommendation

- Implement robust security controls for certificates, offering either a predefined set of trusted Certification Authorities or incorporating integrity checks and white lists of trusted public keys that the application will accept. - In res/xml/network_security_config.xml - Define pin-sets with integrity hashes. - Set trust-anchors by providing a list of trusted Certification Authorities.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⏱️ 300 minutes.

Requirements

Fixes