104 lines
2.6 KiB
Plaintext
104 lines
2.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
These clients from https://commons.apache.org/proper/commons-net/[Apache commons net] libraries are based on unencrypted protocols and are not recommended:
|
|
|
|
[source,java]
|
|
----
|
|
TelnetClient telnet = new TelnetClient(); // Sensitive
|
|
|
|
FTPClient ftpClient = new FTPClient(); // Sensitive
|
|
|
|
SMTPClient smtpClient = new SMTPClient(); // Sensitive
|
|
----
|
|
|
|
Unencrypted HTTP connections, when using https://square.github.io/okhttp/https/[okhttp] library for instance, should be avoided:
|
|
|
|
[source,java]
|
|
----
|
|
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.CLEARTEXT) // Sensitive
|
|
.build();
|
|
----
|
|
|
|
Android WebView can be configured to allow a secure origin to load content from any other origin, even if that origin is insecure (mixed content):
|
|
|
|
[source,java]
|
|
----
|
|
import android.webkit.WebView
|
|
|
|
WebView webView = findViewById(R.id.webview)
|
|
webView.getSettings().setMixedContentMode(MIXED_CONTENT_ALWAYS_ALLOW); // Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Use instead these clients from https://commons.apache.org/proper/commons-net/[Apache commons net] and http://www.jcraft.com/jsch/[JSch/ssh] library:
|
|
|
|
[source,java]
|
|
----
|
|
JSch jsch = new JSch();
|
|
|
|
if(implicit) {
|
|
// implicit mode is considered deprecated but offer the same security than explicit mode
|
|
FTPSClient ftpsClient = new FTPSClient(true);
|
|
}
|
|
else {
|
|
FTPSClient ftpsClient = new FTPSClient();
|
|
}
|
|
|
|
if(implicit) {
|
|
// implicit mode is considered deprecated but offer the same security than explicit mode
|
|
SMTPSClient smtpsClient = new SMTPSClient(true);
|
|
}
|
|
else {
|
|
SMTPSClient smtpsClient = new SMTPSClient();
|
|
smtpsClient.connect("127.0.0.1", 25);
|
|
if (smtpsClient.execTLS()) {
|
|
// commands
|
|
}
|
|
}
|
|
----
|
|
|
|
Perform HTTP encrypted connections, with https://square.github.io/okhttp/https/[okhttp] library for instance:
|
|
|
|
[source,java]
|
|
----
|
|
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
|
|
.build();
|
|
----
|
|
|
|
The most secure mode for Android WebView is ``++MIXED_CONTENT_NEVER_ALLOW++``:
|
|
[source,java]
|
|
----
|
|
import android.webkit.WebView
|
|
|
|
WebView webView = findViewById(R.id.webview)
|
|
webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW);
|
|
----
|
|
|
|
include::../exceptions.adoc[]
|
|
|
|
== See
|
|
|
|
include::../common/resources/documentation.adoc[]
|
|
|
|
include::../common/resources/articles.adoc[]
|
|
|
|
include::../common/resources/standards-mobile.adoc[]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|