PTKDMobile App Security
Knowledge base / PTKD-DYN-WEAKTLS
medium M5 MASVS-NETWORK-1 dynamic analysis PTKD-DYN-WEAKTLS

Weak TLS version negotiated at runtime

A connection negotiated SSL or TLS 1.0/1.1, which are deprecated and vulnerable.

How it's exploited

A connection negotiated TLS 1.0/1.1 (or SSL) at runtime. These versions have practical downgrade and decryption attacks and are widely deprecated.

Why it matters

Sessions to that host can be degraded and attacked with published techniques.

How to fix it

  1. Fix the server first: disable TLS < 1.2 on the endpoint.
  2. Set minimum TLS 1.2 in the client socket/OkHttp/ATS configuration so weak negotiation cannot recur.

References