403 – Insecure service configuration - usesCleartextTraffic

Description

The application has android:usesCleartextTraffic set to true, which allows it to access resources that do not use encryption, a situation that could be exploited by an attacker to perform MitM attacks and compromise the confidentiality and integrity of the application.

Impact

- Obtain sensitive information through MitM attacks. - Modify intercepted information with the aim of deceiving an application user.

Recommendation

The android:usesCleartextTraffic must be set to false.

Threat

Attacker without credentials from the same network segment as an application user.

Expected Remediation Time

15 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: A
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 130 - Limit password lifespan
• 138 - Define lifespan for temporary passwords
• 140 - Define OTP lifespan

Last updated

2024/02/20