2

I know this is an old topic. But I have tried all the solutions from most answers. I have uploaded the App 10 times in 2 days and kept on having the same notification from Google Play Support. enter image description here

When I have had the notification sent from Google, I was using the built in Hostname Verifier of okhttp3. But after having multiple failures I have updated all the dependencies and added a hostname verifier. Still the update have been rejected. Here is my ApiClient class.

public class APIClient {

private static Retrofit retrofit = null;

public static ApiInterface getAPIClient() {
    if (retrofit == null) {
        retrofit = new Retrofit
                .Builder()
                .baseUrl(BuildConfig.BASE_URL)
                .client(getHttpClient())
                .addCallAdapterFactory(RxJava2CallAdapterFactory.create())
                .addConverterFactory(GsonConverterFactory.create())
                .build();
    }
    return retrofit.create(ApiInterface.class);
}

private static OkHttpClient getHttpClient() {

    HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor();
    interceptor.setLevel(HttpLoggingInterceptor.Level.BODY);
    OkHttpClient.Builder okHttpClientBuilder = new OkHttpClient.Builder();
    okHttpClientBuilder.cache(new Cache(MvpApplication.getInstance().getCacheDir(), 10 * 1024 * 1024)) // 10 MB
            .connectTimeout(10, TimeUnit.MINUTES)
            .addNetworkInterceptor(new AddHeaderInterceptor())
            .addNetworkInterceptor(new StethoInterceptor())
            .readTimeout(10, TimeUnit.MINUTES)
            .writeTimeout(10, TimeUnit.MINUTES)
            .addInterceptor(interceptor);

    okHttpClientBuilder.hostnameVerifier((hostname, session) -> {

        Certificate[] certs;
        try {
            certs = session.getPeerCertificates();
        } catch (SSLException e) {
            return false;
        }
        X509Certificate x509 = (X509Certificate) certs[0];
        // We can be case-insensitive when comparing the host we used to
        // establish the socket to the hostname in the certificate.
        String hostName = hostname.trim().toLowerCase(Locale.ENGLISH);
        // Verify the first CN provided. Other CNs are ignored. Firefox, wget,
        // curl, and Sun Java work this way.
        String firstCn = getFirstCn(x509);
        System.out.println(TAG + ": firstCn: "+firstCn);
        if (matches(hostName, firstCn)) {
            return true;
        }
        for (String cn : getDNSSubjectAlts(x509)) {
            if (matches(hostName, cn)) {
                return true;
            }
        }
        return false;

    });

    return okHttpClientBuilder.build();


}

private static String getFirstCn(X509Certificate cert) {
    String subjectPrincipal = cert.getSubjectX500Principal().toString();
    for (String token : subjectPrincipal.split(",")) {
        int x = token.indexOf("CN=");
        if (x >= 0) {
            return token.substring(x + 3);
        }
    }
    return null;
}

private static class AddHeaderInterceptor implements Interceptor {
    @Override
    public Response intercept(@NonNull Chain chain) throws IOException {
        Request.Builder builder = chain.request().newBuilder();
        builder.addHeader("X-Requested-With", "XMLHttpRequest");
        builder.addHeader("Authorization",
                SharedHelper.getKey(MvpApplication.getInstance(), "access_token"));
        Log.d("TTT access_token", SharedHelper.getKey(MvpApplication.getInstance(), "access_token"));
        return chain.proceed(builder.build());
    }
}

Can someone suggest anyways I can check for possible vulnerability before posting a release on Play Store or any way to bypass this issue?

Following are the implementation of HostnameVerifier inside the project.

enter image description here

I have got 17 warning in Prelaunch report. Some of them are due to okhttp. Here is one of the warnings.

StrictMode policy violation: android.os.strictmode.NonSdkApiUsedViolation: Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setHostname(Ljava/lang/String;)V
at android.os.StrictMode.lambda$static$1(StrictMode.java:428)
at android.os.-$$Lambda$StrictMode$lu9ekkHJ2HMz0jd3F8K8MnhenxQ.accept(Unknown Source:2)
at java.lang.Class.getDeclaredMethodInternal(Native Method)
at java.lang.Class.getPublicMethodRecursive(Class.java:2075)
at java.lang.Class.getMethod(Class.java:2063)
at java.lang.Class.getMethod(Class.java:1690)
at okhttp3.internal.platform.android.AndroidSocketAdapter.<init>(AndroidSocketAdapter.kt:36)
at okhttp3.internal.platform.android.StandardAndroidSocketAdapter.<init>(StandardAndroidSocketAdapter.kt:34)
at okhttp3.internal.platform.android.StandardAndroidSocketAdapter$Companion.buildIfSupported(StandardAndroidSocketAdapter.kt:59)
at okhttp3.internal.platform.android.StandardAndroidSocketAdapter$Companion.buildIfSupported$default(StandardAndroidSocketAdapter.kt:52)
at okhttp3.internal.platform.AndroidPlatform.<init>(AndroidPlatform.kt:47)
at okhttp3.internal.platform.AndroidPlatform$Companion.buildIfSupported(AndroidPlatform.kt:160)
at okhttp3.internal.platform.Platform$Companion.findAndroidPlatform(Platform.kt:219)
at okhttp3.internal.platform.Platform$Companion.findPlatform(Platform.kt:212)
at okhttp3.internal.platform.Platform$Companion.access$findPlatform(Platform.kt:169)
at okhttp3.internal.platform.Platform.<clinit>(Platform.kt:170)
at okhttp3.OkHttpClient.<init>(OkHttpClient.kt:237)
at okhttp3.OkHttpClient$Builder.build(OkHttpClient.kt:1069)
at com.shadigipay.shadrivedriver.data.network.APIClient.getHttpClient(APIClient.java:172)
at com.shadigipay.shadrivedriver.data.network.APIClient.getAPIClient(APIClient.java:56)
at com.shadigipay.shadrivedriver.ui.activity.splash.SplashPresenter.checkVersion(SplashPresenter.java:33)
at com.shadigipay.shadrivedriver.ui.activity.splash.SplashActivity.checkVersion(SplashActivity.java:98)
at com.shadigipay.shadrivedriver.ui.activity.splash.SplashActivity.onResume(SplashActivity.java:205)
at android.app.Instrumentation.callActivityOnResume(Instrumentation.java:1412)
at androidx.test.runner.MonitoringInstrumentation.callActivityOnResume(MonitoringInstrumentation.java:1)
at android.app.Activity.performResume(Activity.java:7300)
at android.app.ActivityThread.performResumeActivity(ActivityThread.java:3814)
at android.app.ActivityThread.handleResumeActivity(ActivityThread.java:3854)
at android.app.servertransaction.ResumeActivityItem.execute(ResumeActivityItem.java:51)
at android.app.servertransaction.TransactionExecutor.executeLifecycleState(TransactionExecutor.java:145)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:70)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1816)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:193)
at android.app.ActivityThread.main(ActivityThread.java:6718)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)

I am using okhttp 4.9.0 and retrofit 2.9.0

Hasan Sawan
  • 391
  • 2
  • 14
  • 1
    Perhaps there's a debug implementation somewhere in your apps or your third party libraries? – Jesse Wilson Dec 12 '20 at 23:29
  • There is no such implementation in my code. Is there a way to know whether there is a vulnerabilities in any library projects? – Hasan Sawan Dec 12 '20 at 23:45
  • Any chance you are including any test sources in your build? Can you post a screenshot from your IDE showing the implementations of this interface in your app? – Yuri Schimke Dec 13 '20 at 09:09
  • We get the some rejection reason. Is there a diagnostic tool to tell us which file or which library has the issue? – Tsiogas P. Dec 17 '20 at 17:39
  • Also facing the same issue. My project isn't explicitly using the hostname code. The only place it is found is in ok http (version 4.7.2) – Fernando Dec 17 '20 at 19:19
  • I am looking for something same as well @TsiogasP. Without a diagnostic tool how is it possible to know! One of my app is in review since the past 6 days and another one for 3 days. No response from play store. – Hasan Sawan Dec 18 '20 at 23:27
  • 1
    The official answer I got from Google, asking for a diagnostic tool, is the one below: "If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” We are helpless here. The only hint we have is that it maybe has to do with a braintree/paypal library. Do you guys use it? https://github.com/braintree/braintree_android/issues/312 – Tsiogas P. Dec 21 '20 at 09:52
  • 1
    I have got a response saying paypal is the culprit. Also, one of my app has got published. Do you have a network_security_config.xml in your project to filter hostname? – Hasan Sawan Dec 21 '20 at 12:53
  • You may want to upgrade your okhttp dependency, see https://github.com/square/okhttp/issues/5816 – Alex Cohn Apr 13 '21 at 11:30

1 Answers1

0

Dupe of Google Play Security Alert - Your app is using an unsafe implementation of the HostnameVerifier

Do not write your own HostnameVerifier, you are only making less secure and them less likely to approve. You need to find the implementation of HostnameVerifier that they are flagging and stop using that.

You should also follow the instructions you linked to in the photo https://support.google.com/faqs/answer/7188426?hl=en

Tag this question with android-security and possibly contact them using the form they have provided.

Also edit your question to show the implementations you have in your project

enter image description here

Yuri Schimke
  • 12,435
  • 3
  • 35
  • 69
  • 1
    I have added the implementation. I have also contacted the Google Play team. Hopefully they will reply after weekend. I checked Alpha Testing report and found there were several policy issues all related to Google Library updates. I changed the minSdk to 19 from 16 as some of the features do not work on phones below that. After that I uploaded a new apb and havent got a rejection email yet. But they havent approved the release either. I will find out once approve/reject. – Hasan Sawan Dec 13 '20 at 22:25
  • 1
    Good luck. Curious is the screenshot you showed from your project or from OkHttp or another project, I'm suprised it is showing source code like that instead of a list of implementations. Thanks for updating. – Yuri Schimke Dec 14 '20 at 07:33
  • Apparently not so much good luck. Again got rejected. I have added some warning in the question. Could it be okhttp? – Hasan Sawan Dec 15 '20 at 20:10
  • It's not clear what your screen shot above is showing, for instance why would you include HostnameVerifierBenchmark in *your* project? – Yuri Schimke Dec 16 '20 at 07:08
  • I dont understand. Which SS? There I just tried to see the usage of HosnameVerifier. – Hasan Sawan Dec 16 '20 at 15:32