Skip to content

MASTG-TEST-0283: Incorrect Implementation of Server Hostname Verification

Overview

This test evaluates whether an Android app implements a HostnameVerifier that uses verify(...) in an unsafe manner, effectively turning off hostname validation for the affected connections.

Such unsafe implementations can allow an attacker to run a MITM attack with a valid (or self-signed) certificate and intercept or tamper with the app's traffic.

Steps

  1. Reverse engineer the app ( Decompiling Java Code).
  2. Inspect the source code and run a static analysis ( Static Analysis on Android) tool and look for all usages of HostnameVerifier.

Observation

The output should contain a list of locations where HostnameVerifier is used.

Evaluation

The test case fails if the app does not properly validate that the server's hostname matches the certificate.

This includes cases such as:

  • Always accepting hostnames: overriding verify(...) to unconditionally return true, regardless of the actual hostname or certificate.
  • Overly broad matching rules: using permissive wildcard logic that matches unintended domains.
  • Incomplete verification coverage: failing to invoke hostname verification on all SSL/TLS channels, such as those created via SSLSocket, or during renegotiation.
  • Missing manual verification: not performing hostname verification when it is not done automatically, such as when using the low-level SSLSocket API.

When testing using automated tools, you will need to inspect all the reported locations in the reverse-engineered code to confirm the incorrect implementation ( Reviewing Decompiled Java Code).

Demos

MASTG-DEMO-0055: Use of the HostnameVerifier that Allows Any Hostname