OWASP category: MASVS-CODE: Code Quality
Overview
The HostnameVerifier implementation is responsible for verifying that the
hostname in the server's certificate matches the hostname of the server that the
client is trying to connect to.
An unsafe HostnameVerifier implementation in an Android application is an
implementation that does not properly verify the hostname of the server with
which the application is communicating. This can allow an attacker to
impersonate a legitimate server and trick the application into sending sensitive
data to the attacker.
This vulnerability exists because the HostnameVerifier class has function
calls that can skip X.509 certificate hostname validation and, instead, only
verify the hash of the certificate. A common misconception is that the
SSLSession#isValid function
performs a security-related operation, when in reality its purpose is only to
check if a session is valid and available for resuming or joining; neither of
which validate the security of a session. The HostnameVerifier class has
been superseded by NetworkSecurityConfig.
Impact
Unsafe HostnameVerifier implementations can lead to vulnerabilities which can
be used to perform MiTM (Man-in-The-Middle) attacks on network traffic from the
victim application. The impact of exploiting this insecure code is that a user's
application network data can be compromised by network attackers (remotely or
locally) if this code is triggered. The impact is dependent on the content of
the network traffic being inadvertently exposed (PII, private information,
sensitive session values, service credentials, etc).
Mitigations
Use the NetworkSecurityConfig.xml functionality to ensure that all production, testing, debugging, and dev stage connections are properly handled rather than using or implementing custom TLS/SSL certificate validation code.