Created
September 19, 2013 14:15
-
-
Save robmadden/6624128 to your computer and use it in GitHub Desktop.
Nuke SSL Certs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.io.FileInputStream; | |
| import java.io.FileNotFoundException; | |
| import java.io.IOException; | |
| import java.io.InputStream; | |
| import java.security.SecureRandom; | |
| import java.security.cert.CertificateException; | |
| import java.security.cert.CertificateFactory; | |
| import java.security.cert.X509Certificate; | |
| import javax.net.ssl.HostnameVerifier; | |
| import javax.net.ssl.HttpsURLConnection; | |
| import javax.net.ssl.SSLContext; | |
| import javax.net.ssl.SSLSession; | |
| import javax.net.ssl.TrustManager; | |
| import javax.net.ssl.X509TrustManager; | |
| import android.util.Log; | |
| public class NukeSSLCerts { | |
| protected static final String TAG = "NukeSSLCerts"; | |
| public static void nuke() { | |
| try { | |
| TrustManager[] trustAllCerts = new TrustManager[] { | |
| new X509TrustManager() { | |
| public X509Certificate[] getAcceptedIssuers() { | |
| /* Create a new array with room for an additional trusted certificate. */ | |
| X509Certificate[] myTrustedAnchors = new X509Certificate[0]; | |
| return myTrustedAnchors; | |
| } | |
| @Override | |
| public void checkClientTrusted(X509Certificate[] certs, String authType) {} | |
| @Override | |
| public void checkServerTrusted(X509Certificate[] certs, String authType) {} | |
| } | |
| }; | |
| SSLContext sc = SSLContext.getInstance("SSL"); | |
| sc.init(null, trustAllCerts, new SecureRandom()); | |
| HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); | |
| HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { | |
| @Override | |
| public boolean verify(String arg0, SSLSession arg1) { | |
| return true; | |
| } | |
| }); | |
| } catch (Exception e) { | |
| // pass | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Google issued a warning on one of my apps saying
Your app is using an unsafe implementation of HostnameVerifier.. That's to be expected I guess, since you have an emptyHostnameVerifierthat always returnstrue.My question is: Have you also encountered this problem? If so, how did you deal with it? Did you try to obfuscate the code or something?