Skip to content

MASTG-TEST-0234: SSLSockets not Properly Verifying Hostnames

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

SSLSocket does not perform hostname verification by default unless the app explicitly uses HostnameVerifier.verify(). See the "Android documentation" and "Unsafe HostnameVerifier" for more details.

Steps

  1. Reverse engineer the app ( Decompiling Java Code).
  2. Run a static analysis ( Static Analysis on Android) tool and look for all usages of SSLSocket and HostnameVerifier.

Observation

The output contains a list of locations where SSLSocket and HostnameVerifier are used.

Evaluation

The test case fails if hostname verification is missing or implemented incorrectly.