PTKDMobile App Security
Knowledge base / PTKD-NET-TRUSTALL
high M5 MASVS-NETWORK-2 static analysis PTKD-NET-TRUSTALL

TLS validation appears disabled (trust-all / accept-all hostnames)

The app references a known trust-all TrustManager or an accept-all HostnameVerifier, which disables TLS authentication and enables MITM.

How it's exploited

A custom TrustManager that returns without checking, or a HostnameVerifier that always says yes, accepts any certificate. Any MITM proxy terminates your "secure" connection with a self-signed cert and reads everything.

Why it matters

TLS becomes decorative: credentials and data are fully exposed to any active network attacker, and app stores reject builds for this.

How to fix it

  1. Delete the trust-all TrustManager/HostnameVerifier (they usually date from a debugging session).
  2. Use the platform defaults; for internal CAs, ship the CA in a network-security-config instead of disabling validation.
  3. Add a CI grep/lint for X509TrustManager overrides so it cannot return.

References