Insecure service configuration - usesCleartextTraffic

Description ​

The application has android:usesCleartextTraffic set to true, which allows it to access resources that do not use encryption, a situation that could be exploited by an attacker to perform MitM attacks and compromise the confidentiality and integrity of the application.

Impact ​

• Obtain sensitive information through MitM attacks.
• Modify intercepted information with the aim of deceiving an application user.

Recommendation ​

The android:usesCleartextTraffic must be set to false.

Threat ​

Attacker without credentials from the same network segment as an application user.

Expected Remediation Time ​

⌚ minutes.

Score ​

Default score using CVSS 3.1 . It may change depending on the context of the src.

Base ​

• Attack vector: A
• Attack complexity: H
• Privileges required: N
• User interaction: R
• Scope: U
• Confidentiality: L
• Integrity: L
• Availability: N

Temporal ​

• Exploit code madurity: P
• Remediation level: O
• Report confidence: C

Result ​

• Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
• Score:
  • Base: 3.7
  • Temporal: 3.4
• Severity:
  • Base: Low
  • Temporal: Low

Compliant code ​

src.examples.compliant

Non compliant code ​

src.examples.non_compliant

Requirements ​

• 130.Limit password lifespan
• 138.Define lifespan for temporary passwords
• 140.Define OTP lifespan

Fixes ​