3

After 1st March when I have uploaded my app on beta group I got the particular mail from Google quoting:

This information is intended for developers with app(s) using an unsafe implementation of the HostnameVerifier interface, which accepts all hostnames when establishing an HTTPS connection to a remote host with the setDefaultHostnameVerifier API

After searching on the net I found some links but mostly they are suggesting to use third party library but in my whole app , I have done simple HTTPS request for restcalls. The code which I used for rest calls are:

TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {

        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public void checkClientTrusted(X509Certificate[] certs, String authType) {}
        public void checkServerTrusted(X509Certificate[] certs, String authType) {}
    }
};

// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

// Create all-trusting host name verifier
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
    @Override
    public boolean verify(String hostname, SSLSession session) {
        HostnameVerifier hv =
        HttpsURLConnection.getDefaultHostnameVerifier();
        return hv.verify("something.com", session);
    }
};

URL url = new URL("Something");
urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setHostnameVerifier(hostnameVerifier);

Could anyone have the idea what type of code could be written in order to recover from the warning from Google. But I don't want to make use of third party library like Volley.

Alex Cohn
  • 56,089
  • 9
  • 113
  • 307
ritwik
  • 101
  • 1
  • 11
  • 1
    Your own code there has a comment saying you're creating an all-trusting host name verifier. That isn't a good idea, don't do it. I'm not even sure why you're messing with ssl at all- all you need to do to request an https site is to use an https url. There's no need to set a verifier. – Gabe Sechan Mar 07 '17 at 06:15
  • Thanx @Gabe it works – ritwik Mar 07 '17 at 09:09
  • @GabeSechan I am using https url for https site but it is giving SSL handshake exception . If i use above code then it ignores the exception but Google Play will not approve it. What should i do? – S.Ambika Jun 27 '20 at 09:41
  • Have you rectified the issue without using any SSL code? @ritwik – S.Ambika Jun 27 '20 at 09:43
  • Sounds like there's something wrong with your server, likely a bad certificate. – Gabe Sechan Jun 28 '20 at 16:30
  • @S.Ambika if your certificate exposes a wrong hostname, and you cannot fix it with you can replace it, using e.g. SNI – you can work around this in `HostnameVerifier`, but do it carefully. Don't follow the example above to hardcode the hostname, but rather check that the hostname received by the verifier is the one you expect. Google [had such workaround until 2014](https://android.googlesource.com/platform/external/okhttp/+/cc0952ec282184914a6153e9deff458c94785fd1). – Alex Cohn Apr 13 '21 at 16:20
  • @AlexCohn Thanks for your reply. Please help in this situation mentioned in this link https://stackoverflow.com/q/65949051/8063842. I need to solve this. It is related to SSL HandshakeException in webview. My whole SSL problem is related to this link – S.Ambika Apr 15 '21 at 05:32

1 Answers1

0

I think you are retrieving or posting the data to the server through the URL. If you want the answer to the question using the same method(Trust Manager), follow this link:- TrustManagerVulnerabilitySolution (or) I used an alternate way to overcome this problem.If you want to try the alternate way, Follow these Steps:-

  1. Download your SSL Certificate of your URL through your Web Browser.

  2. Create a network_security_config.xml in directory-> res/xml/network_security_config.xml

  3. Add these Code to the Xml file:- `

    <network-security-config>
        <domain-config>
            <domain includeSubdomains="true">example.com</domain>
            <trust-anchors>
                <certificates src="@raw/my_ca"/>
            </trust-anchors>
        </domain-config>
    </network-security-config>`

  4. Place your Downloaded SSL Certificate in the name 'my_ca' in the directory-> res/raw/'my_ca'

  5. Add this to your Manifest:- <application android:networkSecurityConfig="@xml/network_security_config">

  6. That's it. For More details Refer:- Networksecurityconfiguration

Mathesh T
  • 11
  • 2