4

After submission to the Google Play Store I receive an email notification telling me my APK is using an unsafe implementation of the HostnameVerifier interface.

I can't find anywhere where I'm using HostnameVerifier in the code at all, so am unable to remove it. I assume it's in a package but any upgrades I do, don't seem to fix it. Can someone point me in the right direction to resolving this vulnerability

Here's my project level build.gradle file:

buildscript {
    ext.kotlin_version = '1.4.10'
    repositories {
        google()
        jcenter()
        mavenCentral()
        maven {
            url "https://cardinalcommerce.bintray.com/android"
        }

    }
dependencies {
    classpath 'com.android.tools.build:gradle:4.0.1'
    classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
    classpath "io.realm:realm-gradle-plugin:7.0.5"
    classpath 'com.google.gms:google-services:4.3.4'
    classpath 'com.google.zxing:android-core:3.3.0'
    classpath 'com.apollographql.apollo:apollo-gradle-plugin:1.3.2'
    classpath 'com.google.firebase:firebase-crashlytics-gradle:2.3.0'
   }
}

allprojects {
    repositories {
        google()
        jcenter()
    }
}

Here's my app level build.gradle file:

apply plugin: 'com.android.application'

apply plugin: 'kotlin-android'
apply plugin: 'kotlin-android-extensions'
apply plugin: 'kotlin-kapt'

apply plugin: 'realm-android'

apply plugin: 'com.apollographql.apollo'

apply plugin: 'com.google.gms.google-services'
apply plugin: 'com.google.firebase.crashlytics'

android {
    compileSdkVersion 29
    defaultConfig {
        applicationId "*****"
        minSdkVersion(23)
        targetSdkVersion 29
        versionCode 99
        versionName "4.3.4"
        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
        renderscriptSupportModeEnabled true
        renderscriptTargetApi 22
        multiDexEnabled true
    }
    packagingOptions {
        exclude 'META-INF/DEPENDENCIES'
        exclude 'META-INF/LICENSE'
        exclude 'META-INF/LICENSE.txt'
        exclude 'META-INF/license.txt'
        exclude 'META-INF/NOTICE'
        exclude 'META-INF/NOTICE.txt'
        exclude 'META-INF/notice.txt'
        exclude 'META-INF/ASL2.0'
    }
    signingConfigs {
        release {
            storeFile file(RELEASE_STORE_FILE)
            storePassword RELEASE_STORE_PASSWORD
            keyAlias RELEASE_KEY_ALIAS
            keyPassword RELEASE_KEY_PASSWORD
        }
    }
    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }
    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            buildConfigField 'String', 'BASE_URL', '"https://api.examplewebsite.net/"'
            buildConfigField 'String', 'BASE_WEB_URL', '"https://www.examplewebsite.net/"'
            buildConfigField 'Boolean', 'USES_ENCRYPTION', 'true'
            signingConfig signingConfigs.release
        }
        debug {
            debuggable true
            buildConfigField 'String', 'BASE_URL', '"https://uat-api.examplewebsite.net/"'
            buildConfigField 'String', 'BASE_WEB_URL', '"https://uat.examplewebsite.net/"'
            buildConfigField 'Boolean', 'USES_ENCRYPTION', 'false'
        }
    }
}

repositories {
    maven { url 'https://github.com/uPhyca/stetho-realm/raw/master/maven-repo' }
    maven { url "https://jitpack.io" }
    maven { url 'https://repo.spring.io/libs-milestone' }
    maven { url "https://cardinalcommerce.bintray.com/android" }
    jcenter()
}

dependencies {
    implementation fileTree(dir: 'libs', include: ['*.jar'])
    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
    implementation 'androidx.appcompat:appcompat:1.1.0'
    implementation 'androidx.legacy:legacy-support-v4:1.0.0'
    implementation 'androidx.media:media:1.0.1'
    implementation 'androidx.vectordrawable:vectordrawable-animated:1.0.0'
    implementation 'androidx.browser:browser:1.0.0'
    implementation 'androidx.constraintlayout:constraintlayout:1.1.3'
    implementation 'com.google.firebase:firebase-invites:17.0.0'
    implementation 'com.google.firebase:firebase-core:17.0.1'
    implementation 'com.google.firebase:firebase-config:19.2.0'
    implementation 'androidx.recyclerview:recyclerview:1.1.0'
    testImplementation 'junit:junit:4.12'
    androidTestImplementation 'androidx.test:runner:1.2.0'
    androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0'
    implementation 'com.android.support:appcompat-v7'
    implementation 'com.google.android.material:material:1.0.0'
    implementation 'com.android.support:recyclerview-v7'
    implementation 'com.squareup.retrofit2:retrofit:2.0.2'
    implementation 'com.squareup.retrofit2:converter-gson:2.0.2'
    implementation 'com.squareup.picasso:picasso:2.71828'
    implementation 'com.squareup.okhttp3:logging-interceptor:3.10.0'
    implementation 'com.google.dagger:dagger:2.27'
    implementation "org.jetbrains.anko:anko:0.10.1"
    implementation 'org.springframework.android:spring-android-rest-template:2.0.0.M3'
    implementation 'com.facebook.android:facebook-android-sdk:6.1.0'
    implementation group: 'com.madgag.spongycastle', name: 'bctls-jdk15on', version: '1.58.0.0'
    implementation 'com.google.android.gms:play-services-analytics:17.0.0'
    implementation 'com.github.ittianyu:BottomNavigationViewEx:2.0.2'
    kapt 'com.google.dagger:dagger-compiler:2.20'
    kapt 'androidx.lifecycle:lifecycle-compiler:2.0.0'
    implementation 'androidx.lifecycle:lifecycle-extensions:2.0.0'
    implementation 'com.braintreepayments:popup-bridge:2.0.0'
    androidTestImplementation 'org.mockito:mockito-android:2.25.1'
    androidTestImplementation "com.nhaarman:mockito-kotlin:1.5.0"
    androidTestImplementation('androidx.test.espresso:espresso-core:3.1.0', {
        exclude group: 'com.android.support', module: 'support-annotations'
    })
    implementation 'com.google.android.gms:play-services-wallet:18.1.2'
    implementation 'com.braintreepayments.api:braintree:3.7.0'
    implementation 'com.braintreepayments.api:google-payment:3.2.0'
    implementation 'com.braintreepayments.api:drop-in:4.4.1'
    implementation 'com.braintreepayments.api:three-d-secure:3.7.0'
    implementation 'com.apollographql.apollo:apollo-runtime:1.3.2'
    implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-core:1.3.3'
    implementation "androidx.preference:preference-ktx:1.1.0"
    implementation 'com.auth0.android:jwtdecode:2.0.0'
    implementation 'com.google.firebase:firebase-crashlytics:17.2.2'
    implementation 'com.google.firebase:firebase-analytics:17.6.0'

}

apply plugin: 'com.google.gms.google-services'

apollo {
    generateKotlinModels.set(true) // or false for Java models
}
yorkie1990
  • 181
  • 1
  • 8
  • having the same issue, did you find a fix for it? – Fminus Dec 24 '20 at 16:47
  • You should look for an unsecure verifier in one of the libraries that you use. The easiest way I know, is to go trough all suspicious jars in "External Libraries" of your project, and search for HostnameVerifier in each. – Alex Cohn Apr 13 '21 at 17:18

2 Answers2

1

A library(lib.android.paypal) in Braintree SDK was cause of this issue in my case. May be by updating the Braintree SDK where this HostnameVerifier has been fixed may fix your issue of vulnerability too.

Rahul
  • 21
  • 3
0

Add the following Maven repository and (non-sensitive) credentials to your app-level Gradle:

repositories {
    maven {
        url "https://cardinalcommerce.bintray.com/android"
        credentials {
            username 'braintree-team-sdk@cardinalcommerce'
            password '220cc9476025679c4e5c843666c27d97cfb0f951'
        }
    }        
}
Elletlar
  • 3,136
  • 7
  • 32
  • 38
neer
  • 11
  • 1