Potentially Clear text HTTP request

Description

Mobile Applications must use Secure Sockets Layer SSL / Transport Layer Security TLS to provide encryption at the transport layer and ensure the confidentiality and integrity of data in transit.This application does not use SSL/TLS and is vulnerable to traffic interception and modification.

An attacker performing a man-in-the-middle (MITM) attack may:

  • Passively intercept the communication to access any sensitive data in transit like usernames, passwords or credit card number
  • Actively inject or remove content to forge and omit information or inject malicious scripts
  • Actively redirect the communication to the attacker in the context of the initial trusted party

Recommendation

It is recommended to ensure the use of an encrypted channel for requests transmitting sensitive data, it is however highly recommended to encrypt all requests made by the application, as the interception and modification of non sensitive requests could be leveraged to access sensitive data.

The encrypted channel should use secure protocols and cipher suites, do not develop custom encryption protocols or algorithms.

Technical details
[TAINT] String 'http://%s/%s.%s?platform=android&dev=%s&minify=%s' ==>>> Sink '['Ljava/net/URL;', '<init>', '(Ljava/lang/String;)V', '0', 'SOCKET_SINK']' [[('Lcom/facebook/react/devsupport/DevSupportManagerImpl$18;', 'run', '()V'), ('Lcom/facebook/react/devsupport/DevSupportManagerImpl;', 'handleReloadJS', '()V'), ('Lcom/facebook/react/devsupport/DevSupportManagerImpl;', 'reloadJSFromServer', '(Ljava/lang/String;)V'), ('Lcom/facebook/react/devsupport/DevLoadingViewController;', 'showForUrl', '(Ljava/lang/String;)V'), ('Ljava/net/URL;', '<init>', '(Ljava/lang/String;)V')]]

Use of a clear-text non-encrypted HTTP URL:

Method com.facebook.react.devsupport.DevSupportManagerImpl$18.run():


    public void run()
    {
        this.this$0.handleReloadJS();
        return;
    }

Method com.facebook.react.devsupport.DevSupportManagerImpl.handleReloadJS():


    public void handleReloadJS()
    {
        com.facebook.react.bridge.UiThreadUtil.assertOnUiThread();
        com.facebook.react.bridge.ReactMarker.logMarker(com.facebook.react.bridge.ReactMarkerConstants.RELOAD, this.mDevSettings.getPackagerConnectionSettings().getDebugServerHost());
        this.hideRedboxDialog();
        if (!this.mDevSettings.isRemoteJSDebugEnabled()) {
            com.facebook.debug.holder.PrinterHolder.getPrinter().logMessage(com.facebook.debug.tags.ReactDebugOverlayTags.RN_CORE, "RNCore: load from Server");
            this.reloadJSFromServer(this.mDevServerHelper.getDevServerBundleURL(((String) com.facebook.infer.annotation.Assertions.assertNotNull(this.mJSAppBundleName))));
        } else {
            com.facebook.debug.holder.PrinterHolder.getPrinter().logMessage(com.facebook.debug.tags.ReactDebugOverlayTags.RN_CORE, "RNCore: load from Proxy");
            this.mDevLoadingViewController.showForRemoteJSEnabled();
            this.mDevLoadingViewVisible = 1;
            this.reloadJSInProxyMode();
        }
        return;
    }

Method com.facebook.react.devsupport.DevSupportManagerImpl.reloadJSFromServer():


    public void reloadJSFromServer(String p5)
    {
        com.facebook.react.bridge.ReactMarker.logMarker(com.facebook.react.bridge.ReactMarkerConstants.DOWNLOAD_START);
        this.mDevLoadingViewController.showForUrl(p5);
        this.mDevLoadingViewVisible = 1;
        com.facebook.react.devsupport.BundleDownloader$BundleInfo v0_4 = new com.facebook.react.devsupport.BundleDownloader$BundleInfo();
        this.mDevServerHelper.downloadBundleFromURL(new com.facebook.react.devsupport.DevSupportManagerImpl$24(this, v0_4), this.mJSBundleTempFile, p5, v0_4);
        return;
    }

Method com.facebook.react.devsupport.DevLoadingViewController.showForUrl():


    public void showForUrl(String p7)
    {
        String v0_0 = this.getContext();
        if (v0_0 != null) {
            try {
                StringBuilder v1_5 = new java.net.URL(p7);
                String v2_2 = new Object[1];
                StringBuilder v4_0 = new StringBuilder();
                v4_0.append(v1_5.getHost());
                v4_0.append(":");
                v4_0.append(v1_5.getPort());
                v2_2[0] = v4_0.toString();
                this.showMessage(v0_0.getString(com.facebook.react.R$string.catalyst_loading_from_url, v2_2));
                return;
            } catch (String v7_2) {
                StringBuilder v1_3 = new StringBuilder();
                v1_3.append("Bundle url format is invalid. \n\n");
                v1_3.append(v7_2.toString());
                com.facebook.common.logging.FLog.e("ReactNative", v1_3.toString());
                return;
            }
        } else {
            return;
        }
    }

Method java.net.URL.<init>() not found.