Unsafe HostnameVerifier

OWASP category: MASVS-CODE: Code Quality

Overview

The HostnameVerifier implementation is responsible for verifying that the hostname in the server's certificate matches the hostname of the server that the client is trying to connect to.

An unsafe HostnameVerifier implementation in an Android application is an implementation that does not properly verify the hostname of the server with which the application is communicating. This can allow an attacker to impersonate a legitimate server and trick the application into sending sensitive data to the attacker.

This vulnerability exists because the HostnameVerifier class has function calls that can skip X.509 certificate hostname validation and, instead, only verify the hash of the certificate. A common misconception is that the SSLSession#isValid function performs a security-related operation, when in reality its purpose is only to check if a session is valid and available for resuming or joining; neither of which validate the security of a session. The HostnameVerifier class has been superseded by NetworkSecurityConfig.

Impact

Unsafe HostnameVerifier implementations can lead to vulnerabilities which can be used to perform MiTM (Man-in-The-Middle) attacks on network traffic from the victim application. The impact of exploiting this insecure code is that a user's application network data can be compromised by network attackers (remotely or locally) if this code is triggered. The impact is dependent on the content of the network traffic being inadvertently exposed (PII, private information, sensitive session values, service credentials, etc).

Mitigations

Use the NetworkSecurityConfig.xml functionality to ensure that all production, testing, debugging, and dev stage connections are properly handled rather than using or implementing custom TLS/SSL certificate validation code.

Resources