保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
highCWE-319M5:2024

Insecure Communication

Mobile app transmits sensitive data over HTTP instead of HTTPS, or accepts invalid SSL certificates — enabling man-in-the-middle attacks on public WiFi.

How It Works

When a mobile app communicates over plain HTTP or doesn't properly validate SSL certificates, attackers on the same network (like public WiFi) can intercept all traffic using a man-in-the-middle attack. They can read passwords, tokens, personal data, and even modify responses. Disabling certificate validation for debugging and forgetting to re-enable it in production is a common mistake.

Vulnerable Code
// Disabling SSL validation (dangerous!)
const agent = new https.Agent({
  rejectUnauthorized: false
});
fetch('https://api.myapp.com/data', { agent });
Secure Code
// Proper SSL with certificate pinning
import { fetch } from 'react-native-ssl-pinning';
const response = await fetch('https://api.myapp.com/data', {
  sslPinning: { certs: ['my-api-cert'] }
});

Real-World Example

In 2014, researchers found that 73% of the top 100 banking apps on Android had SSL implementation flaws. Many accepted self-signed certificates or didn't validate hostnames, making MITM attacks trivial on public WiFi networks.

How to Prevent It

  • Always use HTTPS for all network communication
  • Implement certificate pinning for sensitive APIs
  • Never disable SSL certificate validation in production
  • Use App Transport Security (iOS) and Network Security Config (Android)

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024