Inspectopedia Help

Insecure call to SSLCertificateSocketFactory.createSocket()

Insecure call to SSLCertificateSocketFactory.createSocket()

When SSLCertificateSocketFactory.createSocket() is called with an InetAddress as the first parameter, TLS/SSL hostname verification is not performed, which could result in insecure network traffic caused by trusting arbitrary hostnames in TLS/SSL certificates presented by peers. In this case, developers must ensure that the InetAddress is explicitly verified against the certificate through other means, such as by calling `SSLCertificateSocketFactory.getDefaultHostnameVerifier() to get a HostnameVerifier and calling HostnameVerifier.verify().

Issue id: SSLCertificateSocketFactoryCreateSocket

Inspection Details

Available in:

IntelliJ IDEA 2023.3, Qodana for Android 2023.3, Qodana for JVM 2023.3


Android, 2022.3.1 Beta 2

Last modified: 13 July 2023