2021-01-21 04:09:13 +00:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
These clients from https://commons.apache.org/proper/commons-net/[Apache commons net] libraries are based on unencrypted protocols and are not recommended:
2023-01-09 15:29:41 +01:00
[source,java]
2021-01-21 04:09:13 +00:00
----
TelnetClient telnet = new TelnetClient(); // Sensitive
FTPClient ftpClient = new FTPClient(); // Sensitive
SMTPClient smtpClient = new SMTPClient(); // Sensitive
----
2021-04-26 17:29:13 +02:00
Unencrypted HTTP connections, when using https://square.github.io/okhttp/https/[okhttp] library for instance, should be avoided:
2023-01-09 15:29:41 +01:00
[source,java]
2021-04-26 17:29:13 +02:00
----
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.CLEARTEXT) // Sensitive
.build();
----
2023-01-09 15:29:41 +01:00
Android WebView can be configured to allow a secure origin to load content from any other origin, even if that origin is insecure (mixed content):
[source,java]
2021-10-12 09:21:31 +02:00
----
import android.webkit.WebView
WebView webView = findViewById(R.id.webview)
webView.getSettings().setMixedContentMode(MIXED_CONTENT_ALWAYS_ALLOW); // Sensitive
----
2021-01-21 04:09:13 +00:00
== Compliant Solution
Use instead these clients from https://commons.apache.org/proper/commons-net/[Apache commons net] and http://www.jcraft.com/jsch/[JSch/ssh] library:
2022-02-04 17:28:24 +01:00
[source,java]
2021-01-21 04:09:13 +00:00
----
2023-01-09 15:29:41 +01:00
JSch jsch = new JSch();
2021-01-21 04:09:13 +00:00
2021-01-22 04:06:24 +00:00
if(implicit) {
// implicit mode is considered deprecated but offer the same security than explicit mode
2023-01-09 15:29:41 +01:00
FTPSClient ftpsClient = new FTPSClient(true);
2021-01-22 04:06:24 +00:00
}
else {
2023-01-09 15:29:41 +01:00
FTPSClient ftpsClient = new FTPSClient();
2021-01-22 04:06:24 +00:00
}
if(implicit) {
// implicit mode is considered deprecated but offer the same security than explicit mode
2023-01-09 15:29:41 +01:00
SMTPSClient smtpsClient = new SMTPSClient(true);
2021-01-22 04:06:24 +00:00
}
else {
2023-01-09 15:29:41 +01:00
SMTPSClient smtpsClient = new SMTPSClient();
2021-01-22 04:06:24 +00:00
smtpsClient.connect("127.0.0.1", 25);
if (smtpsClient.execTLS()) {
// commands
}
}
2021-01-21 04:09:13 +00:00
----
2021-04-26 17:29:13 +02:00
Perform HTTP encrypted connections, with https://square.github.io/okhttp/https/[okhttp] library for instance:
2022-02-04 17:28:24 +01:00
[source,java]
2021-04-26 17:29:13 +02:00
----
2023-01-09 15:29:41 +01:00
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
2021-04-26 17:29:13 +02:00
.build();
----
2023-01-09 15:29:41 +01:00
The most secure mode for Android WebView is ``++MIXED_CONTENT_NEVER_ALLOW++``:
2022-02-04 17:28:24 +01:00
[source,java]
2021-10-12 09:21:31 +02:00
----
import android.webkit.WebView
WebView webView = findViewById(R.id.webview)
webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW);
----
2021-01-21 04:09:13 +00:00
include::../exceptions.adoc[]
2025-02-19 17:19:00 +01:00
== See
include::../common/resources/documentation.adoc[]
include::../common/resources/articles.adoc[]
include::../common/resources/standards-mobile.adoc[]
2023-06-22 10:38:01 +02:00
2024-05-06 07:56:31 +01:00
2021-09-20 15:38:42 +02:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
