unsafe implementation of the HostnameVerifier interface

Question

I developed the app and published the google play store then received the notification from Google

HostnameVerifier Your app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how to resolve the issue in this Google Help Center article, including the deadline for fixing the vulnerability.

I can't use HostnameVerifier or call setDefaultHostnameVerifier(), I assume it relies upon some 3rd party lib. Third parties lib used- Google map, baidu map, firebase crash analytics, firebase phone authentication, quick blox, mob authentication.

I tried to use these code in splash to solve this issue-

HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;

        DefaultHttpClient client = new DefaultHttpClient();

        SchemeRegistry registry = new SchemeRegistry();
        SSLSocketFactory socketFactory = SSLSocketFactory.getSocketFactory();
        socketFactory.setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
        registry.register(new Scheme("https", socketFactory, 443));
        SingleClientConnManager mgr = new SingleClientConnManager(client.getParams(), registry);
        DefaultHttpClient httpClient = new DefaultHttpClient(mgr, client.getParams());
        HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);

And

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            public boolean verify(final String hostname, final SSLSession session) {



                if (session.isValid()) {

                    return true;
                }
                else
                {
                    return false;
                }`

But, my app got rejected from Google play store.

Please, help me in finding whats wrong with this code? and how to solve it?

score 2 · Answer 1 · answered Nov 02 '17 at 06:58

2

Just remove all of it and use the default. You don't need to specify a specific one. If for some reason you actually don't have a certificate and need to accept unsigned certs- just buy a certificate. It costs like 10 bucks these days. Google will not accept any app that accepts certs blindly.

answered Nov 02 '17 at 06:58

Gabe Sechan

90,003
9
87
127

Sorry but not getting what to remove and how to use default @Gabe Sechan – Sunandni Suri Nov 02 '17 at 07:07
1

Just remove all of that code. There's a default verifier used if none is specified. It will accept any certificate by a reputable signing authority – Gabe Sechan Nov 02 '17 at 07:08
we tried it earlier . Earlier there was no code but still google rejected the app – Sunandni Suri Nov 02 '17 at 07:12
Then they rejected it for something else, or you didn't remove the important line. I have apps out three right now with no custom verifier, happily accepted – Gabe Sechan Nov 02 '17 at 07:21
I am having the same issue. I am using retrofit and okHttp3 to make API calls. I dont have any default verifier set. Was this issue solved? – Hasan Sawan Dec 12 '20 at 10:39
2

Facing the same issue, any help available? – Kanwarpreet Singh Dec 14 '20 at 11:06
@KanwarpreetSingh it is likely that some library that your app includes does the wrong thing. – Alex Cohn Apr 13 '21 at 10:24
1

@Alex Cohn Yeah, It was BrineTree Payment gateway – Kanwarpreet Singh Apr 14 '21 at 16:52

score 2 · Answer 2 · answered Feb 06 '21 at 18:13

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                // could judge
                if (hostname.equals("xx.xx.xx.xx")) {
                    return true;
                } else {`enter code here`
                    return false;
                }
            }
});

According to Google's tips, the solution is to determine the host code name HTTPS connection, if this is their expectations. Prevent middle attacks.

unsafe implementation of the HostnameVerifier interface

2 Answers2

Linked