JayP2405
commented
1 month ago Is there any updates on this? Anyone can help with, looking into this?
My application has also reported this same issue by security team & I need to resolve it within couple of weeks OR I've to remove this dependency from my project.
In case of second scenario, any idea on alternative solution?
Issue Severity: High Issue Exploitability: Moderate
Issue Description: The following classes within the App define an [insecure `Hostname Verifier ](https://developer.android.com/reference/javax/net/ssl/HostnameVerifier.html#verify(java.lang.String.%20javax.net.ssl. SSLSession)) that disables SSL hostname validation:
com.ammaralmed.scopedstorage.RNScopedStorageUtils$2
The vulnerable classes define a custom Hostname Verifier that does not perform any validation of the server's hostname:
... // Sample code to initialize an insecure Hostname Verifier new Hostname Verifier() { public boolean verify(String hostname. SSLSession session) { return true; } }); ...
Hence, connections using this Hostname Verifier will accept any certificate signed by a valid Certificate Authority for any hostname as valid, allowing an attacker to use a CA-signed certificate issued for a domain they own to perform a man-in-the-middle attack against the App.
Regardless of whether the affected classes are actually used at runtime or not, Google Play is blocking any App that defines such an insecure 'HostnameVerifier, as detailed on Google's support page:
Recommendation: To avoid rejection from Google Play, ensure the custom
HostnameVerifierinterface retuns false` whenever the hostname of the server does not meet your expectations.If possible, remove from the vulnerable Java or Kotlin classes any code that customizes hostname validation, in order to use Android's safe default hostname validation logic.