CODEWITHSUNDEEP
androidhttpsandroid-securitysslhandshakeexception
S.Ambika
S.Ambika

Reputation: 302

Proper HostName Verifier in app according to Googe Play Store

I am using following code till now to call "https" APIs in app.

 public class HttpsTrustManager implements X509TrustManager {

private static TrustManager[] trustManagers;
private static final X509Certificate[] _AcceptedIssuers = new X509Certificate[]{};

@SuppressLint("TrustAllX509TrustManager")
@Override
public void checkClientTrusted(
        X509Certificate[] x509Certificates, String s)
        throws java.security.cert.CertificateException {

}

@SuppressLint("TrustAllX509TrustManager")
@Override
public void checkServerTrusted(
        X509Certificate[] x509Certificates, String s)
        throws java.security.cert.CertificateException {

}

public boolean isClientTrusted(X509Certificate[] chain) {
    return true;
}

public boolean isServerTrusted(X509Certificate[] chain) {
    return true;
}

@Override
public X509Certificate[] getAcceptedIssuers() {
    return _AcceptedIssuers;
}

public static void allowAllSSL() {
    HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {

        @Override
        public boolean verify(String arg0, SSLSession arg1) {
            return true;
        }

    });

    SSLContext context = null;
    if (trustManagers == null) {
        trustManagers = new TrustManager[]{new HttpsTrustManager()};
    }

    try {
        context = SSLContext.getInstance("TLS");
        context.init(null, trustManagers, new SecureRandom());
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (KeyManagementException e) {
        e.printStackTrace();
    }

    HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
}

}

I am new to android security changes done by google play store.I am getting this warning from Play Store:

change the verify method in your custom HostnameVerifier interface to return false whenever the hostname of the server does not meet your expectations.

I want to know that what kind of changes i should do in app or server?? I have tried other links present in stack Overflow but I am not geeting clarity of this that should i modify app or just create signed certificate in server?

Solution that i can find but not sure it will work or not

If I add following code :

 `HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
        @Override
        public boolean verify(String hostname, SSLSession arg1) {
            if (hostname.equalsIgnoreCase("https://xxxxxx.xx") ){

                return true;
            } else {
                return false;
            }
        }});`

then will it not make any issue in play store?

Upvotes: 0

Views: 652

Answers (1)

Ryan M
Ryan M

Reputation: 20147

That is not a valid or secure implementation of SSL, nor is your proposed solution.

The correct solution is to delete all of this code.

The only thing your allowAllSSL method does is completely disable all SSL security. You're opening your users up to network-based eavesdropping and attacks by doing this.

Upvotes: 1

Related Questions