MASTG-TEST-0234: Missing Implementation of Server Hostname Verification with SSLSockets
Overview¶
This test checks whether an Android app uses SSLSocket
without a HostnameVerifier
, allowing connections to servers presenting certificates with wrong or invalid hostnames.
By default, SSLSocket
does not perform hostname verification. To enforce it, the app must explicitly invoke HostnameVerifier.verify()
and implement proper checks.
Such unsafe implementations can allow an attacker to run a MITM attack with a valid (or self-signed) certificate and intercept or tamper with the app's traffic.
Note: The connection succeeds even if the app has a fully secure Network Security Configuration (NSC) in place because SSLSocket
is not affected by it.
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Run a static analysis ( Static Analysis on Android) tool and look for all usages of
SSLSocket
andHostnameVerifier
.
Observation¶
The output contains a list of locations where SSLSocket
and HostnameVerifier
are used.
Evaluation¶
The test case fails if the app uses SSLSocket
without a HostnameVerifier
.
Note: If a HostnameVerifier
is present, ensure it's not implemented in an unsafe manner. See Incorrect Implementation of Server Hostname Verification for guidance.
Demos¶
MASTG-DEMO-0049: SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier MASTG-DEMO-0048: SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier