(#) Insecure call to `SSLCertificateSocketFactory.createSocket()` !!! WARNING: Insecure call to `SSLCertificateSocketFactory.createSocket()` This is a warning. Id : `SSLCertificateSocketFactoryCreateSocket` Summary : Insecure call to `SSLCertificateSocketFactory.createSocket()` Severity : Warning Category : Security Platform : Android Vendor : Android Open Source Project Feedback : https://issuetracker.google.com/issues/new?component=192708 Since : 1.5.0 (November 2015) Affects : Kotlin and Java files Editing : This check runs on the fly in the IDE editor See : https://goo.gle/SSLCertificateSocketFactoryCreateSocket Implementation : [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/SslCertificateSocketFactoryDetector.java) Tests : [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/SslCertificateSocketFactoryDetectorTest.kt) When `SSLCertificateSocketFactory.createSocket()` is called with an `InetAddress` as the first parameter, TLS/SSL hostname verification is not performed, which could result in insecure network traffic caused by trusting arbitrary hostnames in TLS/SSL certificates presented by peers. In this case, developers must ensure that the `InetAddress` is explicitly verified against the certificate through other means, such as by calling `SSLCertificateSocketFactory.getDefaultHostnameVerifier() to get a `HostnameVerifier` and calling `HostnameVerifier.verify()`. (##) Example Here is an example of lint warnings produced by this check: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text src/test/pkg/SSLCertificateSocketFactoryTest.java:21:Warning: Use of SSLCertificateSocketFactory.createSocket() with an InetAddress parameter can cause insecure network traffic due to trusting arbitrary hostnames in TLS/SSL certificates presented by peers [SSLCertificateSocketFactoryCreateSocket] sf.createSocket(inet, 80); ------------------------- src/test/pkg/SSLCertificateSocketFactoryTest.java:22:Warning: Use of SSLCertificateSocketFactory.createSocket() with an InetAddress parameter can cause insecure network traffic due to trusting arbitrary hostnames in TLS/SSL certificates presented by peers [SSLCertificateSocketFactoryCreateSocket] sf.createSocket(inet4, 80); -------------------------- src/test/pkg/SSLCertificateSocketFactoryTest.java:23:Warning: Use of SSLCertificateSocketFactory.createSocket() with an InetAddress parameter can cause insecure network traffic due to trusting arbitrary hostnames in TLS/SSL certificates presented by peers [SSLCertificateSocketFactoryCreateSocket] sf.createSocket(inet6, 80); -------------------------- src/test/pkg/SSLCertificateSocketFactoryTest.java:24:Warning: Use of SSLCertificateSocketFactory.createSocket() with an InetAddress parameter can cause insecure network traffic due to trusting arbitrary hostnames in TLS/SSL certificates presented by peers [SSLCertificateSocketFactoryCreateSocket] sf.createSocket(inet, 80, inet, 2000); ------------------------------------- src/test/pkg/SSLCertificateSocketFactoryTest.java:25:Warning: Use of SSLCertificateSocketFactory.createSocket() with an InetAddress parameter can cause insecure network traffic due to trusting arbitrary hostnames in TLS/SSL certificates presented by peers [SSLCertificateSocketFactoryCreateSocket] sf.createSocket(inet4, 80, inet, 2000); -------------------------------------- src/test/pkg/SSLCertificateSocketFactoryTest.java:26:Warning: Use of SSLCertificateSocketFactory.createSocket() with an InetAddress parameter can cause insecure network traffic due to trusting arbitrary hostnames in TLS/SSL certificates presented by peers [SSLCertificateSocketFactoryCreateSocket] sf.createSocket(inet6, 80, inet, 2000); -------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is the source file referenced above: `src/test/pkg/SSLCertificateSocketFactoryTest.java`: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers package test.pkg; import android.net.SSLCertificateSocketFactory; import java.net.InetAddress; import java.net.Inet4Address; import java.net.Inet6Address; import javax.net.ssl.HttpsURLConnection; public class SSLCertificateSocketFactoryTest { public void foo() { byte[] ipv4 = new byte[4]; byte[] ipv6 = new byte[16]; InetAddress inet = Inet4Address.getByAddress(ipv4); Inet4Address inet4 = (Inet4Address) Inet4Address.getByAddress(ipv4); Inet6Address inet6 = Inet6Address.getByAddress(null, ipv6, 0); SSLCertificateSocketFactory sf = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0); sf.createSocket("www.google.com", 80); // ok sf.createSocket("www.google.com", 80, inet, 2000); // ok sf.createSocket(inet, 80); sf.createSocket(inet4, 80); sf.createSocket(inet6, 80); sf.createSocket(inet, 80, inet, 2000); sf.createSocket(inet4, 80, inet, 2000); sf.createSocket(inet6, 80, inet, 2000); HttpsURLConnection.setDefaultSSLSocketFactory( SSLCertificateSocketFactory.getInsecure(-1,null)); } } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can also visit the [source code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/SslCertificateSocketFactoryDetectorTest.kt) for the unit tests for this check to see additional scenarios. The above example was automatically extracted from the first unit test found for this lint check, `SslCertificateSocketFactoryDetector.test`. To report a problem with this extracted sample, visit https://issuetracker.google.com/issues/new?component=192708. (##) Suppressing You can suppress false positives using one of the following mechanisms: * Using a suppression annotation like this on the enclosing element: ```kt // Kotlin @Suppress("SSLCertificateSocketFactoryCreateSocket") fun method() { createSocket(...) } ``` or ```java // Java @SuppressWarnings("SSLCertificateSocketFactoryCreateSocket") void method() { createSocket(...); } ``` * Using a suppression comment like this on the line above: ```kt //noinspection SSLCertificateSocketFactoryCreateSocket problematicStatement() ``` * Using a special `lint.xml` file in the source tree which turns off the check in that folder and any sub folder. A simple file might look like this: ```xml <?xml version="1.0" encoding="UTF-8"?> <lint> <issue id="SSLCertificateSocketFactoryCreateSocket" severity="ignore" /> </lint> ``` Instead of `ignore` you can also change the severity here, for example from `error` to `warning`. You can find additional documentation on how to filter issues by path, regular expression and so on [here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html). * In Gradle projects, using the DSL syntax to configure lint. For example, you can use something like ```gradle lintOptions { disable 'SSLCertificateSocketFactoryCreateSocket' } ``` In Android projects this should be nested inside an `android { }` block. * For manual invocations of `lint`, using the `--ignore` flag: ``` $ lint --ignore SSLCertificateSocketFactoryCreateSocket ...` ``` * Last, but not least, using baselines, as discussed [here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).