I don't know Java much, and Android programming even less, so maybe I have overlooked something, but it seems that Intra doesn't implement any kind of certificate pinning, nor implements any ways to do ensure that the certificate chain includes required certificates.
This is important for security, as TLS alone encrypts the communications, but doesn't ensure that the client is actually talking to the right server.
Domain names switch hands (see dnscrypt.org that is now owned by some kind of advertising company) and IP addresses get reassigned (see the recent PowerDNS case, where a DNS record they forgot about eventually ended up pointing to a malicious IP).
To mitigate this, pinning should at least be implemented. Or the client configuration should include a set of hashes, at least one of them having to match the hash of a certificate in the chain.
I don't know Java much, and Android programming even less, so maybe I have overlooked something, but it seems that Intra doesn't implement any kind of certificate pinning, nor implements any ways to do ensure that the certificate chain includes required certificates.
This is important for security, as TLS alone encrypts the communications, but doesn't ensure that the client is actually talking to the right server.
Domain names switch hands (see dnscrypt.org that is now owned by some kind of advertising company) and IP addresses get reassigned (see the recent PowerDNS case, where a DNS record they forgot about eventually ended up pointing to a malicious IP).
To mitigate this, pinning should at least be implemented. Or the client configuration should include a set of hashes, at least one of them having to match the hash of a certificate in the chain.