2021-04-26 17:29:13 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
These clients from https://commons.apache.org/proper/commons-net/[Apache commons net] libraries are based on unencrypted protocols and are not recommended:
2023-01-09 15:29:41 +01:00
[source,kotlin]
2021-04-26 17:29:13 +02:00
----
val telnet = TelnetClient(); // Sensitive
val ftpClient = FTPClient(); // Sensitive
val smtpClient = SMTPClient(); // Sensitive
----
Unencrypted HTTP connections, when using https://square.github.io/okhttp/https/[okhttp] library for instance, should be avoided:
2023-01-09 15:29:41 +01:00
[source,kotlin]
2021-04-26 17:29:13 +02:00
----
val spec: ConnectionSpec = ConnectionSpec.Builder(ConnectionSpec.CLEARTEXT) // Sensitive
.build()
----
2023-01-09 15:29:41 +01:00
Android WebView can be configured to allow a secure origin to load content from any other origin, even if that origin is insecure (mixed content):
[source,kotlin]
2021-10-15 10:58:45 +02:00
----
import android.webkit.WebView
val webView: WebView = findViewById(R.id.webview)
webView.getSettings().setMixedContentMode(MIXED_CONTENT_ALWAYS_ALLOW) // Sensitive
----
2021-04-26 17:29:13 +02:00
== Compliant Solution
Use instead these clients from https://commons.apache.org/proper/commons-net/[Apache commons net] and http://www.jcraft.com/jsch/[JSch/ssh] library:
2022-02-04 17:28:24 +01:00
[source,kotlin]
2021-04-26 17:29:13 +02:00
----
2021-10-15 10:58:45 +02:00
JSch jsch = JSch();
2021-04-26 17:29:13 +02:00
if(implicit) {
// implicit mode is considered deprecated but offer the same security than explicit mode
2021-10-15 10:58:45 +02:00
val ftpsClient = FTPSClient(true);
2021-04-26 17:29:13 +02:00
}
else {
2021-10-15 10:58:45 +02:00
val ftpsClient = FTPSClient();
2021-04-26 17:29:13 +02:00
}
if(implicit) {
// implicit mode is considered deprecated but offer the same security than explicit mode
2021-10-15 10:58:45 +02:00
val smtpsClient = SMTPSClient(true);
2021-04-26 17:29:13 +02:00
}
else {
2021-10-15 10:58:45 +02:00
val smtpsClient = SMTPSClient();
2021-04-26 17:29:13 +02:00
smtpsClient.connect("127.0.0.1", 25);
if (smtpsClient.execTLS()) {
// commands
}
}
----
Perform HTTP encrypted connections, with https://square.github.io/okhttp/https/[okhttp] library for instance:
2022-02-04 17:28:24 +01:00
[source,kotlin]
2021-04-26 17:29:13 +02:00
----
2021-10-15 10:58:45 +02:00
val spec: ConnectionSpec =ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
2021-04-26 17:29:13 +02:00
.build()
----
2023-01-09 15:29:41 +01:00
The most secure mode for Android WebView is ``++MIXED_CONTENT_NEVER_ALLOW++``:
2022-02-04 17:28:24 +01:00
[source,kotlin]
2021-10-15 10:58:45 +02:00
----
import android.webkit.WebView
val webView: WebView = findViewById(R.id.webview)
webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW)
----
2021-04-26 17:29:13 +02:00
include::../exceptions.adoc[]
2025-02-19 17:19:00 +01:00
== See
include::../common/resources/documentation.adoc[]
include::../common/resources/articles.adoc[]
include::../common/resources/standards-mobile.adoc[]
2023-06-22 10:38:01 +02:00
2024-05-06 07:56:31 +01:00
2021-09-20 15:38:42 +02:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
