HostNameVerifier Play Store Android

Question

I'm having trouble submitting my app. I've already done the Volley settings as below, but the Play Store shows up for rejection.

HostnameVerifier

Your app (s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how to solve the issue in this Google Help Center article.

    RequestQueue queue = Volley.newRequestQueue(Services.this, new HurlStack(null, newSslSocketFactory()));
        // Request a string response from the provided URL.

        try {
            final ProgressDialog pDialog = new ProgressDialog(Services.this);
            pDialog.setMessage("Wainting ...");
            pDialog.show();

            String url = "https://sitesecurity.com";
                 StringRequest stringRequest = new StringRequest(Request.Method.POST, url, new Response.Listener<String>(){
                @Override
                public void onResponse(String response) {
}



     private SSLSocketFactory newSslSocketFactory() {
            try {
                HttpsURLConnection.setDefaultHostnameVerifier(new HttpsTrustManager());
                SSLContext context = SSLContext.getInstance("TLS");
                context.init(null, new X509TrustManager[]{new DadosConsultaPerto.NullX509TrustManager()}, new SecureRandom());
                HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
                SSLSocketFactory sf = context.getSocketFactory();
                return sf;
            } catch (Exception e) {
                throw new AssertionError(e);
            }
        }

I tried several methods but the error persists.

Vulnerability APK Version(s) Past Due Date HostnameVerifier

Your app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how resolve the issue in this Google Help Center article. 5 March 01, 2017

So did you have a look at Google Help Center article on `HostnameVerifier` and what did you try exactly? — Patrick Mevzek, Mar 17 '18 at 21:19
I did as directed by google. I have no client certificate, since the WebService gets shared certificate. ' public boolean verify(String hostname, SSLSession session) { Log.i("RestUtilImpl", "Approving certificate for " + hostname); return true; }' — rogerio, Mar 17 '18 at 21:30
I hope that the issue has been resolved in the last 3 years. Could you kindly share the solution? — Alex Cohn, Apr 13 '21 at 10:20

CommonsWare · Answer 1 · 2018-03-17T21:24:24.487

1

Delete newSslSocketFactory() and stop referring to it in your HurlStack constructor call. That is where you are using HostnameVerifier in a way that is completely insecure.

My guess is that your HttpsTrustManager is this one, which is also completely insecure and will cause your app to be banned from the Play Store. Deleting newSslSocketFactory() will solve that problem as well.

edited Mar 17 '18 at 21:24

answered Mar 17 '18 at 21:17

CommonsWare

986,068
189
2,389
2,491

I did as he suggested, and he still continued to reject it. – rogerio Mar 17 '18 at 21:29

score 0 · Answer 2 · answered Sep 16 '20 at 13:12

0

First select apk version and in Alerts (pre-launch report), select security and trust and in details you will find affected class.

answered Sep 16 '20 at 13:12

Antonio Karanfiloski

41
5

HostNameVerifier Play Store Android

2 Answers2