Security Vulnerability: "Unsafe HostnameVerifier Defined" - How to fix?

Question

Hello!

I am using the Amplitude Unity SDK (latest version 2.4.0) for an Android project - specifically for Oculus Quest 2 VR. I'm getting a security vulnerability failure in the Oculus dashboard when I upload my build. It says "Unsafe HostnameVerifier Defined" (see image below). In Visual Studio I searched through my entire solution in C# and I don't see any mention of HostnameVerifier, so I don't understand how to fix this issue. My assumption is that the issue lies in a 3rd party SDK that accesses the internet, aka the Amplitude Unity SDK.

Does anyone know how to fix this issue? This issue is currently halting the release of my team's app since it fails Oculus's security vulnerability test.

icon

Best answer by REM5 Studios 10 March 2022, 22:01

View original

REM5 Studios · Accepted Answer

In case others encounter the same problem, I fixed the issue by removing the Amplitude Unity SDK, then re-implementing Amplitude via the HTTP API v2, using the UnityWebRequest built-in functionality. Now my app passes all security vulnerability checks!

The okhttp dependency that the Amplitude Unity SDK uses was likely causing the security vulnerability detected by Oculus.

sydney.koh · Answer

Hi!I am going to take this offline for security reasons as I will need more information on implementation.Best,Sydney

Security Vulnerability: "Unsafe HostnameVerifier Defined" - How to fix?

2 replies

Reply

Reply

Welcome to the Amplitude Community!

If you're a current customer, select the domain you use to sign in with Amplitude.

Welcome to the Amplitude Community!

If you're a current customer, select the domain you use to sign in with Amplitude.

Scanning file for viruses.

This file cannot be downloaded