Google Play Security Alert – Your app is using an unsafe implementation of the HostnameVerifier

by

Same here – Insecure Hostname Verifier Detected in APK

Your app is using an unsafe implementation of HostnameVerifier. Please
see this Google Help Center article for details, including the
deadline for fixing the vulnerability. Im not using HostnameVerifier
and not calling setDefaultHostnameVerifier. Moreover – Im using OKHTTP
lib for http-requests. I hope that defining TrustManager will solve
this issue.

Since I’m not subclassing HostnameVerifier or calling setDefaultHostnameVerifier() I assume it relies to some 3rd party lib. Since I can’t detect such lib I think I will try to add a class with following code 

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
    public boolean verify(final String hostname, final SSLSession session) {
        if (/* check if SSL is really valid */)
            return true;
        else
            return false;
    }
});

to my project and will see if it fixes the issue.
So I did it and additionally to every webView I’ve added overridden method 

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    // the main thing is to show dialog informing user
    // that SSL cert is invalid and prompt him to continue without 
    // protection: handler.proceed();
    // or cancel: handler.cancel();
    String message;
    switch(error.getPrimaryError()) {
        case SslError.SSL_DATE_INVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_date_invalid);
            break;
        case SslError.SSL_EXPIRED:
            message = ResHelper.getString(R.string.ssl_cert_error_expired);
            break;
        case SslError.SSL_IDMISMATCH:
            message = ResHelper.getString(R.string.ssl_cert_error_idmismatch);
            break;
        case SslError.SSL_INVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_invalid);
            break;
        case SslError.SSL_NOTYETVALID:
            message = ResHelper.getString(R.string.ssl_cert_error_not_yet_valid);
            break;
        case SslError.SSL_UNTRUSTED:
            message = ResHelper.getString(R.string.ssl_cert_error_untrusted);
            break;
        default:
            message = ResHelper.getString(R.string.ssl_cert_error_cert_invalid);
    }
    mSSLConnectionDialog = new MaterialDialog.Builder(getParentActivity())
            .title(R.string.ssl_cert_error_title)
            .content(message)
            .positiveText(R.string.continue_button)
            .negativeText(R.string.cancel_button)
            .titleColorRes(R.color.black)
            .positiveColorRes(R.color.main_red)
            .contentColorRes(R.color.comment_grey)
            .backgroundColorRes(R.color.sides_menu_gray)
            .onPositive(new MaterialDialog.SingleButtonCallback() {
                @Override
                public void onClick(MaterialDialog materialDialog, DialogAction dialogAction) {
                    mSSLConnectionDialog.dismiss();
                    handler.proceed();
                }
            })
            .onNegative(new MaterialDialog.SingleButtonCallback() {
                @Override
                public void onClick(MaterialDialog materialDialog, DialogAction dialogAction) {
                    handler.cancel();
                }
            })
            .build();
    mSSLConnectionDialog.show(); 
}

to the

mWebView.setWebViewClient(new WebViewClient() {
... // other corresponding overridden methods
}

And finally Google says:

SECURITY SCAN COMPLETE
No known vulnerabilities were detected for APK 158.

However I’m not sure what code made it, HostNameVerifier or onReceivedSslError() of mWebView.setWebViewClient. Note: HostNameVerifier.setDefaultHostnameVerifier() should not return true always like it is in your code! It has to implement some logic to check if its all OK with SSL and return true or false. It is essential.

More Related Contents:

  1. Webview avoid security alert from google play upon implementation of onReceivedSslError
  2. WebView: how to avoid security alert from Google Play upon implementation of onReceivedSslError
  3. android Google Play Warning: SSL Error Handler Vulnerability
  4. Android app is supported by 0 devices
  5. updating Google play services in Emulator
  6. How to remove application from app listings on Android Developer Console
  7. How to enable Google Play App Signing
  8. How to know an application is installed from google play or side-load?
  9. How to test android referral tracking?
  10. What does this Google Play APK publish error message mean?
  11. App on Google Play always shows “Update” instead of open [closed]
  12. How to determine which dependency causes Google Play OpenSSL warning?
  13. Disable LogCat Output COMPLETELY in release Android app?
  14. How do you to check if a user has rated your app on the Google Play?
  15. Rate Google Play application directly in app [duplicate]
  16. Get Android Google Analytics referrer tag
  17. Checking my app version programmatically in Android market
  18. Android – Google Play like tabs
  19. Android – How to intercept the ‘Install application’ intent
  20. How to know if a specific user has rated a Android App?
  21. You uploaded an APK or Android App Bundle which has an activity, activity alias, service or broadcast receiver with intent filter, but without the ‘an
  22. How to notify users about an Android app update?
  23. How to implement Rate It feature in Android App
  24. How do I debug an APK that is signed for release?
  25. Opening Google Play in popup (like Vimeo, Wisher, Buzzfeed) – Instant App
  26. Signing an APK with an upload key provided by Google Play
  27. Published Android apk gives error “Package file was not signed correctly”
  28. Google App is Published on Internal Test Track but Can’t Be Found/Downloaded
  29. Is it possible to debug locally Google Play’s in-app billing in Android Studio?
  30. This app won’t run unless you update Google Play services error

Leave a Comment