EteSyncAndroid01.md

CogniCrypt (report 28) for EteSync

• Class: com.etesync.syncadapter.HttpClient$Builder

• Method: build

• Line: 232

• Issue details: ConstraintError-1

  • ConstraintError violating CrySL rule for javax.net.ssl.SSLContext.

  • First parameter (with value \TLS) should be any of {TLSv1.2, TLSv1.3}.

Code

 val sslContext = SSLContext.getInstance("TLS")
 sslContext.init(
      if (keyManager != null) arrayOf(keyManager) else null,
      arrayOf(trustManager),
      null)
 orig.sslSocketFactory(sslContext.socketFactory, trustManager)
 orig.hostnameVerifier(hostnameVerifier)

 return HttpClient(orig.build(), certManager)
}

Questions

1. How likely might this warning reveal a security threat to this app?

   a. Very unlikely;

   b. Unlikely;

   c. I cannot evaluate this;

   d. Likely;

   e. Very likely;

2. Are you likely to accept a patch that fixes this particular issue?