No Certificate Validation

Description

Custom TrustManager/HostnameVerifier that trusts all certs/hostnames allows man‑in‑the‑middle interception even over HTTPS.

Examples

Identify Trust-All Implementations

rg -n "X509TrustManager|HostnameVerifier|checkServerTrusted\(|verify\(" out src

Look for empty implementations or return true; in verifiers.

Confirm With MITM

Intercept traffic with a proxy using a self‑signed cert. If the app accepts it without pinning or proper validation, the issue is present.

Remediation

Use platform defaults
- Avoid custom trust managers; rely on system trust store and hostname verification.
Pin carefully
- If pinning, implement robustly and rotate pins; fail closed on validation errors.
Test continuously
- Add dynamic tests to ensure invalid certs/hostnames are rejected in CI.