-2

My App has been removed with following message

We found that your app contains security vulnerabilities, which can expose user information or damage a user’s device. This is a violation of Device and Network Abuse policy. Specifically, your app(s) are vulnerable to Insecure Hostname Verification. To address this issue, follow the steps in this Google Help Center article.

I am using Google's Volley library to establish the connection. This message points me to to implement verify method in HostNameVerifier to adhere to policies. But, I do not use HostNameVerifier nor do I find it anywhere in the source code.

When queried further the google support sent me the following

your app is currently using the following vulnerable implementation of HostnameVerifier. Lg/a/a/a/a/l/e$a; Lg/a/a/a/a/l/f$a;

I do not understand these character sequences that they are pointing to.

If anyone has any help to solve this issue it is greatly appreciated. Thanks

Rahul
  • 21
  • 3

1 Answers1

1

our app is currently using the following vulnerable implementation of HostnameVerifier. Lg/a/a/a/a/l/e$a; Lg/a/a/a/a/l/f$a;

I do not understand these character sequences that they are pointing to.

L means it's a class type, and g/a/a/a/a/l/e$a is an obfuscated class name where $a is an inner class. Have a look at mapping.txt in your release build outputs to decode back to the original class name.

Even if you don't have a HostnameVerifier in your code, there can be libraries you are using with an bad implementation of HostnameVerifier.

laalto
  • 150,114
  • 66
  • 286
  • 303