Improper Certificate Validation
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-295: Improper Certificate Validation |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code uses a HostnameVerifier implementation that always returns true, effectively disabling hostname verification for SSL connections. This means the application will trust any SSL certificate, regardless of the server’s actual identity.
Impact#
Attackers could intercept or manipulate traffic between the app and its servers using man-in-the-middle attacks, potentially exposing sensitive data or credentials. This undermines the security of encrypted connections and can lead to data breaches or unauthorized access.