How to resolve Insecure HostnameVerifier

This information is intended for developers with app(s) using an unsafe implementation of the HostnameVerifier interface, which accepts all hostnames when establishing an HTTPS connection to a remote host with the setDefaultHostnameVerifier API. This implementation makes the app vulnerable to man-in-the-middle attacks. An attacker can potentially read transmitted data (such as login credentials), and even change the data transmitted on the HTTPS connection.

What’s happening

Beginning March 1, 2017, Google Play started to  block publishing of any new apps or updates that use an unsafe implementation of HostnameVerifier. Please refer to the notice on your Play ConsoleAfter the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.

Action required​

  1. Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
  2. Update your affected apps and fix the vulnerability.
  3. Submit the updated versions of your affected apps.

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

Additional details

To properly handle hostname verification, change the verify method in your custom HostnameVerifier interface to return false whenever the hostname of the server does not meet your expectations.

Note that apps must also comply with the Developer Distribution Agreement and Content Policy.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Was this helpful?
How can we improve it?