PTKDMobile App Security
Knowledge base / PTKD-NET-HTTP-URL
low M5 MASVS-NETWORK-1 static analysis PTKD-NET-HTTP-URL

Cleartext (http://) endpoints in the binary (review)

The binary contains http:// URLs to real hosts. Any of these reached at runtime is unencrypted in transit. (XML-namespace URIs are excluded, but third-party SDK URLs may remain, so review which are actually fetched.)

How it's exploited

Even with cleartext nominally blocked, hardcoded http:// URLs get pasted into WebViews, shared to the OS, or reused by SDKs with their own network stack, and those paths silently downgrade to plaintext.

Why it matters

Individual requests leak data or fetch attacker-modifiable content over plaintext despite an otherwise secure config.

How to fix it

  1. Search the codebase for http:// literals and switch each real endpoint to https://.
  2. For third-party hosts that genuinely lack HTTPS, isolate them and treat their content as untrusted.
  3. Keep cleartext blocked platform-wide so any missed URL fails fast in testing.

References