MASTG-TEST-0234: Missing Implementation of Server Hostname Verification with SSLSockets
Overview¶
This test checks whether an Android app uses SSLSocket without a HostnameVerifier, allowing connections to servers presenting certificates with wrong or invalid hostnames.
By default, SSLSocket does not perform hostname verification. To enforce it, the app must explicitly invoke HostnameVerifier.verify() and implement proper checks.
Such unsafe implementations can allow an attacker to run a MITM attack with a valid (or self-signed) certificate and intercept or tamper with the app's traffic.
Note: The connection succeeds even if the app has a fully secure Network Security Configuration (NSC) in place because SSLSocket is not affected by it.
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Run a static analysis ( Static Analysis on Android) tool and look for all usages of
SSLSocketandHostnameVerifier.
Observation¶
The output contains a list of locations where SSLSocket and HostnameVerifier are used.
Evaluation¶
The test case fails if the app uses SSLSocket without a HostnameVerifier.
Note: If a HostnameVerifier is present, ensure it's not implemented in an unsafe manner. See Incorrect Implementation of Server Hostname Verification for guidance.
Demos¶
MASTG-DEMO-0049: SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier MASTG-DEMO-0048: SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier