PTKDMobile App Security
Knowledge base / PTKD-DYN-CLEARTEXT
high M5 MASVS-NETWORK-1 dynamic analysis PTKD-DYN-CLEARTEXT

Cleartext HTTP traffic at runtime

The app sent unencrypted HTTP requests during the run. Anyone on the network path can read or modify this traffic.

How it's exploited

The scanner watched the app send real HTTP requests during the run. On any shared network those exact requests are readable and modifiable by an on-path attacker; this is observed behavior, not a code-path guess.

Why it matters

Whatever rode in those flows (tokens, identifiers, content) is exposed in transit today.

How to fix it

  1. Open the captured flows in the finding evidence and fix each endpoint to HTTPS.
  2. Then block cleartext platform-wide (usesCleartextTraffic=false / ATS) so regressions fail loudly in QA.

References