OWASP category: MASVS-CODE: Code Quality
Overview
The X509TrustManager
class is responsible for verifying the authenticity of a
remote server. It does this by validating the server's certificate.
An insecure X509TrustManager
implementation in an Android application is an
implementation that does not properly verify the authenticity of the server with
which the application is communicating. This can allow an attacker to
impersonate a legitimate server and trick the application into sending sensitive
data to the attacker.
The vulnerability exists because using the X509TrustManager
class,
Java/Android allows the complete overriding of server verification. The
X509TrustManager
class has two functions of interest:
checkServerTrusted()
and getAcceptedIssuers()
. These function
calls can be configured to trust all X.509 certificates. Finally, custom
validation logic may be buggy or incomplete and permit unexpected connections.
In all these cases, the purpose of the class has been negated and the network
connection established based on the X509TrustManager
output is not secure.
Impact
Unsafe X509TrustManager implementations can lead to vulnerabilities which can be used to perform MitM (Man-in-the-Middle) attacks on network traffic from the victim application. The impact of exploiting this insecure code is that a user's application network data can be compromised by network attackers (remotely or locally) if this code is triggered. The impact is dependent on the content of the network traffic being inadvertently exposed (PII, private information, sensitive session values, service credentials, etc).
Mitigations
Use the NetworkSecurityConfig.xml functionality to ensure that all
production, testing, debugging, and dev stage connections are properly handled
rather than using or implementing custom TLS/SSL certificate validation code. If
using a self-signed certificate is needed for test and debug builds, consider
using NetworkSecurityConfig instead of implementing a custom X509TrustManager
.
Resources
- Play Warning docs
- Documentation to assist configuring the Network security configuration xml file.
- Developer documentation for the TrustManager class.
- This check looks for X.509TrustManager implementations whose checkServerTrusted or checkClientTrusted methods do nothing (thus trusting any certificate chain).
- This check looks for custom X.509TrustManager implementations.
- https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/X509TrustManagerDetector.java