Issue with unsafe implementation of the HostnameVerifier interface

joltup / rn-fetch-blob

A project committed to making file access and data transfer easier, efficient for React Native developers.

MIT License

2.81k stars 772 forks source link

Issue with unsafe implementation of the HostnameVerifier interface #669

Open jasir-m opened 3 years ago

jasir-m commented 3 years ago

Your app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how to resolve the issue in this Google Help Center article

React native version : 0.61.2.
library version : 0.12.0.

jacky-ew commented 3 years ago

any updates on how to solve this issue? already try to update the dependencies, but still facing the same error

jacky-ew commented 3 years ago

OkHttpClient.Builder builder = client.newBuilder();
            builder.sslSocketFactory(sslSocketFactory, x509TrustManager);
            builder.hostnameVerifier(new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return false;
                }
            });

for this block of code can we just return false? found this solution here: https://www.programmersought.com/article/41342996449/

rn-fetch-blob was use for redux-persist, where will use device's internal storage to store the redux state. Hence i presume there is no condition to return true in this case?

kolja-ec commented 3 years ago

This is because the following function allows unsafe/unverified SLL connections. Google does not allow this anymore. You must either add an interface to allow users to add exception-URLs or just remove these lines but then it will stop working with not verified https-certs or connections without https. Not sure how local paths are handled (file://):

builder.hostnameVerifier(new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });

in android/src/main/java/com/RNFetchBlob/RNFetchBlobUtils.java

agrawalsurabhi89 commented 3 years ago

@here: we are also facing this isse where Google has rejected app, and given the reason of using this method.

siankhon commented 3 years ago

Google also rejected the app after change the implementation of the verify method to return false according to https://support.google.com/faqs/answer/7188426?hl=en

Any possible solution to fix this ?

mayurchoudharyst2020 commented 3 years ago

I remove all code related to HostnameVerifier but Google again reject my any one can help