Okhttp: Google Play Console - Your app(s) are using an unsafe implementation of the HostnameVerifier interface.

Created on 22 Dec 2020 · 7Comments · Source: square/okhttp

When trying to upload my app for update in the google play console, i got rejected with this:

"Your app(s) are using an unsafe implementation of the HostnameVerifier interface."

Google didn't provide me with the exact classes that use the HostnameVerifier, so because in my code i don't have an implementation of the HostnameVerifier, i started looking at the included libraries implementations.

I came across the following methods in the 4.9.0 version of the library. It is located in /okhttp3/internal/platform/ConscryptPlatorm.kt

internal object DisabledHostnameVerifier : ConscryptHostnameVerifier {

fun verify(
hostname: String?,
session: SSLSession?
): Boolean {
return true
}

override fun verify(
  certs: Array<out X509Certificate>?,
  hostname: String?,
  session: SSLSession?
): Boolean {
  return true
}

}

Could this be a vulnerability flagging the app so it got rejected??Even if i don't use Conscrypt at all?

Google support was not very informative and i couldn't find anything useful in stack overflow. (only references to other libraries using it that i don't use).

This is the only implementation of a vulnerable HostnameIdentifier that i found on the project(my code+libs).

bug

Source

amoropoulos

All 7 comments

Hm.

What’s surprising there is that class isn’t a javax.net.ssl.HostnameVerifier at all; it’s a different type (ConscryptHostnameVerifier) with a similar name and purpose.

swankjesse on 22 Dec 2020

👍1

I'm going to close this out, there isn't anything we can do here. The code is correct, is just coincidentally named, isn't even ever used on an Android phone, and from the report it is hard to confirm which one they object to.

You should follow up with Google Play. https://support.google.com/faqs/answer/7188426?hl=en

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

yschimke on 23 Dec 2020

Naively I hope the checks are no different than the Android Studio lint checks. These definitions below match the advice in the documentation they send out.

https://android.googlesource.com/platform/tools/base/+/studio-master-dev/lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/AllowAllHostnameVerifierDetector.java

https://android.googlesource.com/platform/tools/base/+/studio-master-dev/lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/BadHostnameVerifierDetectorTest.java

yschimke on 23 Dec 2020

@amoropoulos were you able to fix play store error ? if yer please let me i m also facing the same problem.Thank you

altaf2892 on 29 Dec 2020

@altaf2892 I suggest continuing discussion in stackoverflow, you will get more visibility and it's one of the two documented support channels for this type of error. On this bug report it's only going to be seen by a few developers and our best understanding is that it is an issue outside of our direct control and unlikely to be OkHttp library classes.

yschimke on 29 Dec 2020

ok thanks and bdw it was braintree issue https://github.com/braintree/braintree-android-drop-in/issues/208#issuecomment-750344612

altaf2892 on 29 Dec 2020

❤1

Posting here a similar answer not to continue the discussion but to connect the network of posts https://stackoverflow.com/questions/65491217/how-can-i-find-and-fix-my-android-apps-security-vulnerability

implementation ('com.google.apis:google-api-services-androidpublisher:v3-rev20201125-1.31.0')  {
    exclude group: 'org.apache.httpcomponents'
}

implementation ('com.google.auth:google-auth-library-oauth2-http:0.22.2')  {
    exclude group: 'org.apache.httpcomponents'
}

yschimke on 29 Dec 2020

Was this page helpful?

0 / 5 - 0 ratings