Network Security Flashcards
SECURITY › Security
- What is the default cleartext (HTTP) traffic behavior on Android 9 (API 28) and above?
- Cleartext is disabled by default. Plain HTTP requests fail unless you explicitly opt in via cleartextTrafficPermitted="true" for a specific domain in the network security configuration.
- How does TLS let a client verify it is talking to the real server, and what does a MITM attack defeat?
- The server presents a certificate chain that must terminate in a CA the device trusts, and the client verifies the certificate hostname matches the requested host. A MITM presents its own cert; it fails unless the attacker controls a trusted CA or hostname checks are skipped.
- What exactly does an Android certificate pin contain (the value in <pin digest="SHA-256">)?
- A Base64-encoded SHA-256 hash of the certificate's SubjectPublicKeyInfo (SPKI), not the whole certificate. Pinning the public key lets the cert be reissued with the same key without breaking the pin.
- Why is a backup pin mandatory when you pin certificates, and what is the rotation risk?
- If you pin only the current key and that key/CA rotates (or the cert is reissued with a new key), every installed app loses connectivity until updated. A backup pin for a not-yet-deployed key gives you a safe rotation path.
- What does the expiration attribute on a <pin-set> do, and what is its tradeoff?
- After the expiration date, pinning is no longer enforced for that domain. It prevents bricking un-updated apps, but it also means an attacker who can wait past expiry (or roll the clock) can bypass pinning entirely.
- Why can you never safely store an API key or secret in the Android client?
- An APK can be decompiled and resources/strings/native libs inspected, so any embedded secret is extractable. Real secrets belong on a backend that proxies the third-party call; the client uses short-lived tokens.
- How do you trust a self-signed or private CA only for debugging without weakening the release build?
- Put the CA under a <debug-overrides> trust-anchors block. It applies only when android:debuggable="true" (non-release builds) and is ignored otherwise, and Play rejects debuggable release builds.
- Does SSLSocket perform hostname verification by default, and what is the safer default?
- No. A raw SSLSocket validates the certificate chain but does NOT verify the hostname, so you must do it yourself (e.g., via HostnameVerifier). Prefer HttpsURLConnection (or a library like OkHttp) which verifies the hostname for you.
- In network_security_config.xml, what is the difference between base-config and domain-config?
- base-config sets the default policy for all destinations not matched by a domain-config. domain-config overrides policy for specific domains (and optionally subdomains); the most specific matching domain rule wins.