Android Apk Ssl Hostname Not Verified
Description
Detects Android applications that fail to properly verify SSL/TLS hostnames during certificate validation. This vulnerability allows attackers to perform man-in-the-middle attacks by presenting valid certificates for different hostnames, potentially compromising encrypted communications.
Detection Strategy
• Identifies implementations that override hostname verification without proper validation
• Detects custom HostnameVerifier implementations that return true without verification
• Flags cases where setHostnameVerifier is called with ALLOW_ALL_HOSTNAME_VERIFIER or a permissive verifier
• Checks for SSLSocketFactory implementations that skip hostname verification
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.