CODEWITHSUNDEEP
androidhostnameandroid-security
Sunandni Suri
Sunandni Suri

Reputation: 1

unsafe implementation of the HostnameVerifier interface

I developed the app and published the google play store then received the notification from Google enter image description here

HostnameVerifier Your app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how to resolve the issue in this Google Help Center article, including the deadline for fixing the vulnerability.

I can't use HostnameVerifier or call setDefaultHostnameVerifier(), I assume it relies upon some 3rd party lib. Third parties lib used- Google map, baidu map, firebase crash analytics, firebase phone authentication, quick blox, mob authentication.

I tried to use these code in splash to solve this issue-

HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;

        DefaultHttpClient client = new DefaultHttpClient();

        SchemeRegistry registry = new SchemeRegistry();
        SSLSocketFactory socketFactory = SSLSocketFactory.getSocketFactory();
        socketFactory.setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
        registry.register(new Scheme("https", socketFactory, 443));
        SingleClientConnManager mgr = new SingleClientConnManager(client.getParams(), registry);
        DefaultHttpClient httpClient = new DefaultHttpClient(mgr, client.getParams());
        HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);

And 

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            public boolean verify(final String hostname, final SSLSession session) {



                if (session.isValid()) {

                    return true;
                }
                else
                {
                    return false;
                }`

But, my app got rejected from Google play store.

Please, help me in finding whats wrong with this code? and how to solve it?

Upvotes: 0

Views: 4631

Answers (2)

kalide
kalide

Reputation: 99

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                // could judge
                if (hostname.equals("xx.xx.xx.xx")) {
                    return true;
                } else {`enter code here`
                    return false;
                }
            }
});

According to Google's tips, the solution is to determine the host code name HTTPS connection, if this is their expectations. Prevent middle attacks.

Upvotes: 2

Gabe Sechan
Gabe Sechan

Reputation: 93658

Just remove all of it and use the default. You don't need to specify a specific one. If for some reason you actually don't have a certificate and need to accept unsigned certs- just buy a certificate. It costs like 10 bucks these days. Google will not accept any app that accepts certs blindly.

Upvotes: 2

Related Questions