Skip to content

MASTG-TEST-0283: Incorrect Implementation of Server Hostname Verification

Overview

This test evaluates whether an Android app implements a HostnameVerifier that uses verify(...) in an unsafe manner, effectively turning off hostname validation for the affected connections.

Such unsafe implementations can allow an attacker to run a MITM attack with a valid (or self-signed) certificate and intercept or tamper with the app's traffic.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where HostnameVerifier is used.

Evaluation

The test case fails if the app does not properly validate that the server's hostname matches the certificate.

Further Validation Required:

Inspect each reported code location using Reviewing Decompiled Java Code, looking for cases such as:

  • Always accepting hostnames: overriding verify(...) to unconditionally return true, regardless of the actual hostname or certificate.
  • Overly broad matching rules: using permissive wildcard logic that matches unintended domains.
  • Incomplete verification coverage: failing to invoke hostname verification on all SSL/TLS channels, such as those created via SSLSocket, or during renegotiation.
  • Missing manual verification: not performing hostname verification when it is not done automatically, such as when using the low-level SSLSocket API.

Demos

MASTG-DEMO-0055: Use of the HostnameVerifier that Allows Any Hostname