My App has been removed with following message
We found that your app contains security vulnerabilities, which can expose user information or damage a user’s device. This is a violation of Device and Network Abuse policy. Specifically, your app(s) are vulnerable to Insecure Hostname Verification. To address this issue, follow the steps in this Google Help Center article.
I am using Google's Volley library to establish the connection. This message points me to to implement verify method in HostNameVerifier to adhere to policies. But, I do not use HostNameVerifier nor do I find it anywhere in the source code.
When queried further the google support sent me the following
your app is currently using the following vulnerable implementation of HostnameVerifier. Lg/a/a/a/a/l/e$a; Lg/a/a/a/a/l/f$a;
I do not understand these character sequences that they are pointing to.
If anyone has any help to solve this issue it is greatly appreciated. Thanks
our app is currently using the following vulnerable implementation of HostnameVerifier. Lg/a/a/a/a/l/e$a; Lg/a/a/a/a/l/f$a;
I do not understand these character sequences that they are pointing to.
L
means it's a class type, and g/a/a/a/a/l/e$a
is an obfuscated class name where $a
is an inner class. Have a look at mapping.txt
in your release build
outputs to decode back to the original class name.
Even if you don't have a HostnameVerifier
in your code, there can be libraries you are using with an bad implementation of HostnameVerifier
.