Skip to content

Instantly share code, notes, and snippets.

@robmadden
Created September 19, 2013 14:15
Show Gist options
  • Save robmadden/6624128 to your computer and use it in GitHub Desktop.
Save robmadden/6624128 to your computer and use it in GitHub Desktop.
Nuke SSL Certs
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import android.util.Log;
public class NukeSSLCerts {
protected static final String TAG = "NukeSSLCerts";
public static void nuke() {
try {
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
/* Create a new array with room for an additional trusted certificate. */
X509Certificate[] myTrustedAnchors = new X509Certificate[0];
return myTrustedAnchors;
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {}
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
});
} catch (Exception e) {
// pass
}
}
}
@TheCrafter
Copy link

Google issued a warning on one of my apps saying Your app is using an unsafe implementation of HostnameVerifier.. That's to be expected I guess, since you have an empty HostnameVerifier that always returns true.

My question is: Have you also encountered this problem? If so, how did you deal with it? Did you try to obfuscate the code or something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment