Kotlin Insecure Hostname Verification
Description
Detects when an application disables proper hostname verification in OkHttpClient configurations. This vulnerability allows an application to accept invalid SSL/TLS certificates, making HTTPS connections susceptible to man-in-the-middle attacks by bypassing certificate hostname validation.
Detection Strategy
• Identifies usage of OkHttpClient.Builder in Android/Kotlin applications
• Checks if the builder configuration includes code that disables or bypasses hostname verification
• Reports a vulnerability when hostname verification is disabled or set to accept all hostnames without proper validation
• Focuses specifically on configurations within the okhttp3 library
Vulnerable code example
import javax.net.ssl.HostnameVerifier
import javax.net.ssl.SSLSession
import okhttp3.OkHttpClient
val client = OkHttpClient.Builder()
.hostnameVerifier { hostname, session ->
return true // VULNERABLE: Accepts any hostname without verification, bypassing SSL/TLS protection
}...✅ Secure code example
import javax.net.ssl.OkHostnameVerifier
import okhttp3.OkHttpClient
val client = OkHttpClient.Builder()
// Default OkHttp hostname verifier is secure - no need to override
.build()
// If custom verification is needed, use the default verifier:...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.