[GH-ISSUE #228] Unsafe HTTPS use #165

New issue

Closed

opened 2026-02-28 01:23:29 +03:00 by kerem · 3 comments

kerem commented

2026-02-28 01:23:29 +03:00

Owner

Originally created by @wolfmd on GitHub (Dec 10, 2014).
Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/228

This may be due to the results of other issues, but running a security scan against the source code of this project has shown that the HTTPS used in this application has been manually overiden. Using HTTPS increases the security of credentials transmitted between the device and server as well as guaranteeing there is no middle-man attacker feeding malicious data to the user.

It seems some of these are user-overrides of validation, however, EasySSLSocketFactory should not be used as a default.

ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/EasySSLSocketFactory.java:63: SSLSocket created without proper hostname verification
ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/TrustedSocketFactory.java:52: Custom HostnameVerifier used; this is not safe for production use
ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/TrustedSocketFactory.java:53: AllowAllHostnameVerifier used, this is not a secure connection
ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/TrustedSocketFactory.java:76: SSLSocket created without proper hostname verification

Originally created by @wolfmd on GitHub (Dec 10, 2014). Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/228 This may be due to the results of other issues, but running a security scan against the source code of this project has shown that the HTTPS used in this application has been manually overiden. Using HTTPS increases the security of credentials transmitted between the device and server as well as guaranteeing there is no middle-man attacker feeding malicious data to the user. It seems some of these are user-overrides of validation, however, EasySSLSocketFactory should not be used as a default. ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/EasySSLSocketFactory.java:63: SSLSocket created without proper hostname verification ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/TrustedSocketFactory.java:52: Custom HostnameVerifier used; this is not safe for production use ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/TrustedSocketFactory.java:53: AllowAllHostnameVerifier used, this is not a secure connection ushahidiSMSSync/smssync/src/main/java/org/addhen/smssync/net/TrustedSocketFactory.java:76: SSLSocket created without proper hostname verification

kerem closed this issue

2026-02-28 01:23:30 +03:00

kerem commented

2026-02-28 01:23:30 +03:00

Author

Owner

@alxndrsn commented on GitHub (Apr 6, 2016):

Is this still an issue? It doesn't look like any of the referenced classes still exist in the project, and HTTPS connections are now handled by third party libs.

@alxndrsn commented on GitHub (Apr 6, 2016): Is this still an issue? It doesn't look like any of the referenced classes still exist in the project, and HTTPS connections are now handled by third party libs.

kerem commented

2026-02-28 01:23:30 +03:00

Author

Owner

@timmwille commented on GitHub (Jan 29, 2021):

can be closed?

@timmwille commented on GitHub (Jan 29, 2021): can be closed?

kerem commented

2026-02-28 01:23:30 +03:00

Author

Owner

@wolfmd commented on GitHub (Jan 29, 2021):