MASTG-TEST-0234: SSLSockets not Properly Verifying Hostnames

Overview

SSLSocket does not perform hostname verification by default unless the app explicitly uses HostnameVerifier.verify(). See the "Android documentation" and "Unsafe HostnameVerifier" for more details.

Steps

1. Reverse engineer the app ( Decompiling Java Code).
2. Run a static analysis ( Static Analysis on Android) tool and look for all usages of SSLSocket and HostnameVerifier.

Observation

The output contains a list of locations where SSLSocket and HostnameVerifier are used.

Evaluation

The test case fails if hostname verification is missing or implemented incorrectly.

Demos

MASTG-DEMO-0048: SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier MASTG-DEMO-0049: SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier