Google Play Warning: How to fix incorrect implementation of HostnameVerifier

Question

Today I just received this email from Google:

Your app(s) listed at the end of this email have an unsafe implementation of the HostnameVerifier interface, which accepts all hostnames when establishing an HTTPS connection to a remote host with the setDefaultHostnameVerifier API, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials), and even change the data transmitted on the HTTPS connection.

Sadly, I searched all my code and found no use of HostnameVerifier, nor setDefaultHostnameVerifier or even any HTTPS connections!

I'm using Google's compatibility libraries in its latest version: 25.0.1, and in some of my apps the Google Ads 9.8.0. Will upgrade Ads to 10.0.1, as I can only assume the culprit is in there?!

Did anyone received this alert and if so how did you solve it?

Answer 1

As per the mail received from Google, there can be two possibilities for this issue:

Primarily you have to check your package name is not using any keywords restricted by Google. For example "com.companyname.android", .android is not allowed. Secondary is to check for HostNameVerifier

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
    public boolean verify(final String hostname, final SSLSession session) {
        if (/* check if SSL is really valid */)
            return true;
        else
            return false;
    }
});

Answer 2

Same here - Insecure Hostname Verifier Detected in APK

Your app is using an unsafe implementation of HostnameVerifier. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability. Im not using HostnameVerifier and not calling setDefaultHostnameVerifier. Moreover - Im using OKHTTP lib for http-requests. I hope that defining TrustManager will solve this issue.

Since I'm not subclassing HostnameVerifier or calling setDefaultHostnameVerifier() I assume it relies to some 3rd party lib. Since I can't detect such lib I think I will try to add a class with following code

    HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
        public boolean verify(final String hostname, final SSLSession session) {
            if (check if SSL is really valid)
                return true;
            else
                return false;
        }
    });

to my project and will see if it fixes the issue.
So I did it and additionally to every webView I've added overridden method

@Override
            public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
// the main thing is to show dialog informing user
// that SSL cert is invalid and prompt him to continue without 
// protection: handler.proceed();
// or cancel: handler.cancel();
                String message;
                switch(error.getPrimaryError()) {
                    case SslError.SSL_DATE_INVALID:
                        message = ResHelper.getString(R.string.ssl_cert_error_date_invalid);
                        break;
                    case SslError.SSL_EXPIRED:
                        message = ResHelper.getString(R.string.ssl_cert_error_expired);
                        break;
                    case SslError.SSL_IDMISMATCH:
                        message = ResHelper.getString(R.string.ssl_cert_error_idmismatch);
                        break;
                    case SslError.SSL_INVALID:
                        message = ResHelper.getString(R.string.ssl_cert_error_invalid);
                        break;
                    case SslError.SSL_NOTYETVALID:
                        message = ResHelper.getString(R.string.ssl_cert_error_not_yet_valid);
                        break;
                    case SslError.SSL_UNTRUSTED:
                        message = ResHelper.getString(R.string.ssl_cert_error_untrusted);
                        break;
                    default:
                        message = ResHelper.getString(R.string.ssl_cert_error_cert_invalid);
                }
                mSSLConnectionDialog = new MaterialDialog.Builder(getParentActivity())
                        .title(R.string.ssl_cert_error_title)
                        .content(message)
                        .positiveText(R.string.continue_button)
                        .negativeText(R.string.cancel_button)
                        .titleColorRes(R.color.black)
                        .positiveColorRes(R.color.main_red)
                        .contentColorRes(R.color.comment_grey)
                        .backgroundColorRes(R.color.sides_menu_gray)
                        .onPositive(new MaterialDialog.SingleButtonCallback() {
                            @Override
                            public void onClick(MaterialDialog materialDialog, DialogAction dialogAction) {
                                mSSLConnectionDialog.dismiss();
                                handler.proceed();
                            }
                        })
                        .onNegative(new MaterialDialog.SingleButtonCallback() {
                            @Override
                            public void onClick(MaterialDialog materialDialog, DialogAction dialogAction) {
                                handler.cancel();
                            }
                        })
                        .build();
                mSSLConnectionDialog.show(); 
}

to the

mWebView.setWebViewClient(new WebViewClient() {
... // other corresponding overridden methods
}

And finally Google says:

SECURITY SCAN COMPLETE
No known vulnerabilities were detected for APK 158.

However I'm not sure what code made it, HostNameVerifier or onReceivedSslError() of mWebView.setWebViewClient.