include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

These clients from https://commons.apache.org/proper/commons-net/[Apache commons net] libraries are based on unencrypted protocols and are not recommended:

[source,java]
----
TelnetClient telnet = new TelnetClient(); // Sensitive

FTPClient ftpClient = new FTPClient(); // Sensitive

SMTPClient smtpClient = new SMTPClient(); // Sensitive
----

Unencrypted HTTP connections, when using https://square.github.io/okhttp/https/[okhttp] library for instance, should be avoided:

[source,java]
----
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.CLEARTEXT) // Sensitive
  .build();
----

Android WebView can be configured to allow a secure origin to load content from any other origin, even if that origin is insecure (mixed content):

[source,java]
----
import android.webkit.WebView

WebView webView = findViewById(R.id.webview)
webView.getSettings().setMixedContentMode(MIXED_CONTENT_ALWAYS_ALLOW); // Sensitive
----

== Compliant Solution

Use instead these clients from https://commons.apache.org/proper/commons-net/[Apache commons net] and http://www.jcraft.com/jsch/[JSch/ssh] library:

[source,java]
----
JSch jsch = new JSch();

if(implicit) {
  // implicit mode is considered deprecated but offer the same security than explicit mode
  FTPSClient ftpsClient = new FTPSClient(true);
}
else {
  FTPSClient ftpsClient = new FTPSClient();
}

if(implicit) {
  // implicit mode is considered deprecated but offer the same security than explicit mode
  SMTPSClient smtpsClient = new SMTPSClient(true);
}
else {
  SMTPSClient smtpsClient = new SMTPSClient();
  smtpsClient.connect("127.0.0.1", 25);
  if (smtpsClient.execTLS()) {
    // commands
  }
}
----

Perform HTTP encrypted connections, with https://square.github.io/okhttp/https/[okhttp]  library for instance:

[source,java]
----
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
  .build();
----

The most secure mode for Android WebView is ``++MIXED_CONTENT_NEVER_ALLOW++``:
[source,java]
----
import android.webkit.WebView

WebView webView = findViewById(R.id.webview)
webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW);
----

include::../exceptions.adoc[]

== See

include::../common/resources/documentation.adoc[]

include::../common/resources/articles.adoc[]

include::../common/resources/standards-mobile.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]