Google Play Warning: How to fix incorrect implementation of HostnameVerifier?

Question

I received Notification from Google saying: Security alert

Your app is using an unsafe implementation of HostnameVerifier. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Did anyone received this alert and if so how did you solve it?

I am having HostnameVeriefier class as follows:

public class NullHostNameVerifier implements HostnameVerifier {
    public boolean verify(String hostname, SSLSession session) {
        Log.i("UtilImpl", "Approving certificate for " + hostname);
        return true;
    }
}

Please, help me in finding whats wrong with this code? and how to solve it?

Answer 1

If you know that it won't hurt your user's data privacy and want just to bypass this check, try something like

public class NullHostNameVerifier implements HostnameVerifier {
    public boolean verify(String hostname, SSLSession session) {
        return Build.VERSION.SDK_INT >= Build.VERSION_CODES.BASE_1_1;
    }
}

The idea is to make verify not to return true obviously, so automatic check will be unable to detect it

Answer 2

The problem is that your NullHostNameVerifier effectively removes all security from the connection. You should delete it and just use the defaults.

Answer 3

you should not bypass the check, its an invitation for hacker...    
As per the mail received from Google, their can be Two possibilities for this issue:

    Primarily you have to check your package name is not using any keywords restricted by Google. For example "com.companyname.**android**", .android is not allowed.
    then Secondary is check for HostNameVerifier

    HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
    public boolean verify(final String hostname, final SSLSession session) {
        if (/* check if SSL is really valid */)
            return true;
        else
            return false;
    }
    });