PTKDMobile App Security
Knowledge base / PTKD-NET-CLEARTEXT
high M5 MASVS-NETWORK-1 static analysis PTKD-NET-CLEARTEXT

Cleartext network traffic permitted

The app allows unencrypted HTTP. Traffic can be read or modified by anyone on the network path.

How it's exploited

On shared Wi-Fi (a cafe, hotel, or airport), an attacker runs a passive sniffer or an ARP-spoofing proxy. Every HTTP request the app makes, including session tokens and form data, is readable and modifiable in flight.

Why it matters

Account takeover via stolen session tokens, silent data tampering, and injected responses that can drive phishing inside your own app.

How to fix it

  1. Set android:usesCleartextTraffic="false" on <application> (it is ignored when a network-security-config is present, so also do step 2).
  2. Ship a network-security-config with cleartextTrafficPermitted="false" as the base-config.
  3. Move every remaining http:// endpoint to HTTPS; use per-domain debug-overrides for local development instead of global cleartext.
res/xml/network_security_config.xml
<network-security-config>
  <base-config cleartextTrafficPermitted="false">
    <trust-anchors><certificates src="system"/></trust-anchors>
  </base-config>
</network-security-config>

References