Network Security Flashcards

SECURITY › Security

What is the default cleartext (HTTP) traffic behavior on Android 9 (API 28) and above?
Cleartext is disabled by default. Plain HTTP requests fail unless you explicitly opt in via cleartextTrafficPermitted="true" for a specific domain in the network security configuration.
How does TLS let a client verify it is talking to the real server, and what does a MITM attack defeat?
The server presents a certificate chain that must terminate in a CA the device trusts, and the client verifies the certificate hostname matches the requested host. A MITM presents its own cert; it fails unless the attacker controls a trusted CA or hostname checks are skipped.
What exactly does an Android certificate pin contain (the value in <pin digest="SHA-256">)?
A Base64-encoded SHA-256 hash of the certificate's SubjectPublicKeyInfo (SPKI), not the whole certificate. Pinning the public key lets the cert be reissued with the same key without breaking the pin.
Why is a backup pin mandatory when you pin certificates, and what is the rotation risk?
If you pin only the current key and that key/CA rotates (or the cert is reissued with a new key), every installed app loses connectivity until updated. A backup pin for a not-yet-deployed key gives you a safe rotation path.
What does the expiration attribute on a <pin-set> do, and what is its tradeoff?
After the expiration date, pinning is no longer enforced for that domain. It prevents bricking un-updated apps, but it also means an attacker who can wait past expiry (or roll the clock) can bypass pinning entirely.
Why can you never safely store an API key or secret in the Android client?
An APK can be decompiled and resources/strings/native libs inspected, so any embedded secret is extractable. Real secrets belong on a backend that proxies the third-party call; the client uses short-lived tokens.
How do you trust a self-signed or private CA only for debugging without weakening the release build?
Put the CA under a <debug-overrides> trust-anchors block. It applies only when android:debuggable="true" (non-release builds) and is ignored otherwise, and Play rejects debuggable release builds.
Does SSLSocket perform hostname verification by default, and what is the safer default?
No. A raw SSLSocket validates the certificate chain but does NOT verify the hostname, so you must do it yourself (e.g., via HostnameVerifier). Prefer HttpsURLConnection (or a library like OkHttp) which verifies the hostname for you.
In network_security_config.xml, what is the difference between base-config and domain-config?
base-config sets the default policy for all destinations not matched by a domain-config. domain-config overrides policy for specific domains (and optionally subdomains); the most specific matching domain rule wins.

Back to Network Security