This information is intended for developers with app(s) using an unsafe implementation of the HostnameVerifier or X509HostnameVerifier interface.
What’s happening
One or more of your apps contain an unsafe implementation of the interfaces HostnameVerifier or X509HostnameVerifier, which accepts all hostnames when establishing an HTTPS connection to a remote host with the setDefaultHostnameVerifier or setHostnameVerifier API. This implementation makes the app vulnerable to network attacks. An attacker can potentially read transmitted data (such as login credentials), and even change the data transmitted on the HTTPS connection. Vulnerable locations in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code. Please review the detailed steps below to fix the issue with your apps.
After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your affected apps and fix the vulnerability.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
To properly handle hostname verification, change the implementation of your custom HostnameVerifier interface to perform the following actions:
- If you are using the HostnameVerifier interface, change the implementation of the verify method to return false whenever the hostname of the server does not meet your expectations.
- If you are using the X509HostnameVerifier interface, change the implementation of the verify methods (variants 1, 2, 3) to raise an SSLException whenever the hostname of the server does not meet your expectations. Ensure that the Exceptions raised within your verify implementation are not caught and suppressed within the method. Suppressing Exceptions in this manner would cause verify to exit normally, leading the app to trust all hostnames.
Also, do not pass AllowAllHostnameVerifier as an argument to setDefaultHostnameVerifier or setHostnameVerifier (e.g., via SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER). AllowAllHostnameVerifier turns off hostname verification, thus making your app vulnerable to attack.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.