1

I uploaded a new build to play store and my build got rejected. Reasons for rejecting is HostnameVerifier Vulnerability. I check all my code and couldn't find any use of HostnameVerifier or setDefaultHostnameVerifier or setHostnameVerifier.
I am using X509TrustManager but again not using X509HostnameVerifier. Below is the implementation for same.
Is there something i am missing or can get more help on this? Thanks in advance.

if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 22)
        {
            try
            {
                SSLContext sslContext = SSLContext.getInstance("TLSv1.2");

                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
                        TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init((KeyStore) null);
                TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                    throw new IllegalStateException("Unexpected default trust managers:"
                            + Arrays.toString(trustManagers));
                }
                X509TrustManager trustManager = (X509TrustManager) trustManagers[0];

                sslContext.init(null, new TrustManager[] { trustManager }, null);

                client.sslSocketFactory(new Tls12SocketFactory(sslContext.getSocketFactory()), trustManager);

                ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                        .tlsVersions(TlsVersion.TLS_1_2)
                        .build();

                List<ConnectionSpec> specs = new ArrayList<>();
                specs.add(cs);
                specs.add(ConnectionSpec.COMPATIBLE_TLS);
                if (supportClearText)
                {
                    specs.add(ConnectionSpec.CLEARTEXT);
                }

                client.connectionSpecs(specs);
            } catch (Exception exc)
            {
                Timber.e(exc, "Error while setting TLS 1.2");
            }
        }
Nick_C
  • 11
  • 1
  • Why do you need any of this code? Can you delete it all and just leave the libraries like OkHttp to do the right thing? Upgrade to OkHttp 3.12.13 (for legacy Android versions) or 4.9.1 for more modern Android versions. – Yuri Schimke Feb 15 '21 at 08:22
  • Thanks for reply @YuriSchimke but my code has multiple modules as project and they are tightly coupled, so if i upgrade OkHttp version, it's causing an issue. But we have started upgrading code now. – Nick_C Mar 04 '21 at 22:51
  • Most likely the reject is because of some library that your code depends on. – Alex Cohn Apr 13 '21 at 18:59
  • I tried cleaning up old libs and upgrading most but still having issues. – Nick_C Apr 20 '21 at 00:02

0 Answers0