cancel
Showing results for 
Search instead for 
Did you mean: 

Security Vulnerability: "Unsafe HostnameVerifier Defined" - How to fix?

AFE_Foreman
Level 4

Hello! In my Unity VR app, I recently got a security vulnerability test failure: "Unsafe HostnameVerifier Defined". In previous security tests, this did not happen and I haven't changed any networking related code, but now I am getting this failure.

 

Nowhere in my C# code is there any mention of HostnameVerifier (I searched the entire solution in Visual Studio) and because it mentions java, I assume this is a java-related issue due to one of the SDKs I'm using, but I am not sure how to track it down and fix it.

 

The two suspect SDKs I'm using are Firebase Unity SDK (for cloud storage) and DeltaDNA (for analytics). But I'm not sure how to fix this. Does anyone know how to solve this issue?

 

Oculus_Unsafe_HostnameVerifier_2022-02-08.png

1 ACCEPTED SOLUTION

Accepted Solutions

AFE_Foreman
Level 4

I fixed the issue. My solution was to remove the Amplitude Unity SDK (along with the okhttp dependency that was likely causing the issue). I then re-implemented Amplitude analytics via their HTTP API, using the UnityWebRequest built-in functionality. Now my app passes all security vulnerability checks!

View solution in original post

8 REPLIES 8

ticoceptt
Level 3

Hey there, did you ever figure this out? We're running into the same issue.

ticoceptt
Level 3

I figured it out in case anyone needs it. 

In some version of Unity it can be related to the Ads / Unity Distribution Channel, so uninstalling those normally fix it. 

In my case, it was the actual Unity version, moving onto a 2019.4.28LTS or 2020.3 LTS fixed the issue. 

Hey there! Sorry for the delayed reply. I have not sorted out the issue yet. I am not using Unity Ads / Unity Distribution Channel. I did try updating my Unity version to 2019.4.28 like you recommended, but it also did not fix the issue. I am now attempting to update my Unity version to the 2019.4.36 (the latest version of Unity 2019 LTS as of the date this post was written) and will see if that helps.

 

Amplitude (analytics) got back to me and said there's no mention of HostnameVerifier in any of their projects, but they use okhttp as a dependency for http call. They said to try updating okhttp from 4.2.2 to 4.9.3 to see if that helps. I plan to do that if upgrading my Unity version does not fix the issue.

AFE_Foreman
Level 4

Upgrading to Unity 2019.4.36 did not solve the issue. 😞

AFE_Foreman
Level 4

Upgrading okhttp from version 4.2.2 to 4.9.3 also did not fix the issue. Curious, as the release notes for okhttp v4.9.2 do mention a fix related to HostnameVerifier:

 

AFE_Foreman_0-1646344955081.png

 

AFE_Foreman
Level 4

I haven't fixed the issue yet, but I was able to determine that the Amplitude Unity SDK is indeed causing the problem.

 

I copied my project, and completely removed the Firebase SDK, built, and uploaded to Oculus - still got the security vulnerability (so the issue is not Firebase). Then, I completely removed the Amplitude Unity SDK, built, uploaded to Oculus, and it passed all tests.

 

So, at least I've isolated the issue to the Amplitude Unity SDK. It could either be their own code, or a dependency that Amplitude uses. I'm in the process of chatting with Amplitude support about this.

AFE_Foreman
Level 4

I fixed the issue. My solution was to remove the Amplitude Unity SDK (along with the okhttp dependency that was likely causing the issue). I then re-implemented Amplitude analytics via their HTTP API, using the UnityWebRequest built-in functionality. Now my app passes all security vulnerability checks!

ticoceptt
Level 3

That's awesome, congrats!