Beginning March 1, 2017, Google Play will block publishing of any new apps or updates that use an unsafe implementation of HostnameVerifier. Your published APK version will remain unaffected, however any updates to the app will be blocked unless you address this vulnerability.
Action required
To properly handle hostname verification, change the verify method in your custom HostnameVerifier interface to return false whenever the hostname of the server does not meet your expectations.
This is the message I got from the Google Play Store for one of my apps. We are doing some web service calls by using the Apache library.
How to rectify this issue?
Branch and switch to OkHttp. You got a long night a head of you.
As mentioned in the message, on verify()
method inside HostnameVerifier
class, only returns true
for hostnames that your app trust.
Try this. Call this method before the connection established.
@SuppressLint("TrulyRandom")
public static void handleSSLHandshake() {
try {
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
if(arg0.equalsIgnoreCase("google.com")
|| arg0.equalsIgnoreCase("firebasedynamiclinks.googleapis.com")
|| arg0.equalsIgnoreCase("youtube.com")) {
return true;
} else {
return false;
}
}
});
} catch (Exception ignored) {
}
}