Skip to content

MASTG-TEST-0234: Missing Implementation of Server Hostname Verification with SSLSockets

Overview

This test checks whether an Android app uses SSLSocket without a HostnameVerifier, allowing connections to servers presenting certificates with wrong or invalid hostnames.

By default, SSLSocket does not perform hostname verification. To enforce it, the app must explicitly invoke HostnameVerifier.verify() and implement proper checks.

Such unsafe implementations can allow an attacker to run a MITM attack with a valid (or self-signed) certificate and intercept or tamper with the app's traffic.

Note: The connection succeeds even if the app has a fully secure Network Security Configuration (NSC) in place because SSLSocket is not affected by it.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where SSLSocket and HostnameVerifier are used.

Evaluation

The test case fails if the app uses SSLSocket without a HostnameVerifier.

Note

If a HostnameVerifier is present, ensure it's not implemented in an unsafe manner. See Incorrect Implementation of Server Hostname Verification for guidance.

Demos

MASTG-DEMO-0048: SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier MASTG-DEMO-0049: SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier