Port mastg test 0020 (by @guardsquare)

[titze]

Thank you for submitting a Pull Request to the OWASP MASTG. Please make sure that:

• Your contribution is written in the 2nd person (e.g. you)
• Your contribution is written in an active present form for as much as possible.
• You have made sure that the reference section is up to date (e.g. please add sources you have used, make sure that the references to MITRE/MASVS/etc. are up to date)
• Your contribution has proper formatted markdown and/or code
• Any references to website have been formatted as [TEXT](URL “NAME”)
• You verified/tested the effectiveness of your contribution (e.g.: is the code really an effective remediation? Please verify it works!)

If your PR is related to an issue. Please end your PR test with the following line:
This PR closes #2961 .

[cpholguera]

It would be nice to elaborate a bit on why "the TLS protocol the app uses by observing the traffic on the network" is a valuable (e.g. because of some limitation of doing it statically?)

[cpholguera]

Maybe something more specific like "Usage of Insecure TLS Protocols in Network Traffic" or simply "Insecure TLS Protocols in Network Traffic"?

[cpholguera]

Maybe something more specific like

• "Use of Insecure TLS Protocols in Code"
• "Insecure TLS Protocols Set in Code"
• or "Insecure TLS Protocols Explicitly Allowed in Code"?

The "in Code" differentiates this test from the other one which is done at the network level.

[cpholguera]

Always start the evaluation with "The test case fails"

Suggested change

	The evaluation fails if any ["insecure TLS version"](https://mas.owasp.org/MASTG/0x04f-Testing-Network-Communication/#recommended-tls-settings) is used.
	The test case fails if any ["insecure TLS version"](https://mas.owasp.org/MASTG/0x04f-Testing-Network-Communication/#recommended-tls-settings) is used.

[cpholguera]

maybe better like this since these are not the only 2 ways of doing this on Android, right?

Suggested change

	Multiple ways to enable insecure protocols exist in Android:
	There are several ways to enable insecure versions of TLS in Android, including:

[cpholguera]

Maybe better something like (please improve):

Java Sockets effectively bypasses the Android Network Security Configuration. Using the API call javax.net.ssl.SSLSocket.setEnabledProtocols(String[] protocols) allows the app to set insecure protocols.

[titze]

Left out the part of NSC here, since this is in the overview now and you cannot set the TLS version with it anyway.

[cpholguera]

Always start the evaluation with "The test case fails"

Please review the second edit. Maybe it's better to generalize this.

Suggested change

	The evaluation fails if any ["insecure TLS version"](https://mas.owasp.org/MASTG/0x04f-Testing-Network-Communication/#recommended-tls-settings) is directly enabled, or if the app enabled `okhttp3.ConnectionSpec.COMPATIBLE_TLS`.s
	The test case fails if any ["insecure TLS version"](https://mas.owasp.org/MASTG/0x04f-Testing-Network-Communication/#recommended-tls-settings) is directly enabled, or if the app enabled any settings allowing the use of outdated TLS versions, such as `okhttp3.ConnectionSpec.COMPATIBLE_TLS`.

[cpholguera]

Should we include this and use okhttp as an example?

### Third-party Libraries

Other libraries, such as [OkHttp](https://square.github.io/okhttp/), [Retrofit](https://square.github.io/retrofit/) or Apache HttpClient may have their own configurations for TLS protocols.

For example, if the app uses OkHttp and sets the allowed TLS protocols to `ConnectionSpec.COMPATIBLE_TLS` by calling `okhttp3.ConnectionSpec.Builder.connectionSpecs(...)`, this results in one or more insecure TLS versions (e.g, in TLS v1.1 (see ["configuration history"](https://square.github.io/okhttp/security/tls_configuration_history/#okhttp-313))).

The API call `okhttp3.ConnectionSpec.Builder.tlsVersions(...)` (["OkHttp documentation"](https://square.github.io/okhttp/features/https/)) can also be used to set the enabled protocols.