Security Vulnerability: "Unsafe HostnameVerifier Defined" - How to fix?

  • 10 February 2022
  • 2 replies

Userlevel 1
Badge +2



I am using the Amplitude Unity SDK (latest version 2.4.0) for an Android project - specifically for Oculus Quest 2 VR. I'm getting a security vulnerability failure in the Oculus dashboard when I upload my build. It says "Unsafe HostnameVerifier Defined" (see image below). In Visual Studio I searched through my entire solution in C# and I don't see any mention of HostnameVerifier, so I don't understand how to fix this issue. My assumption is that the issue lies in a 3rd party SDK that accesses the internet, aka the Amplitude Unity SDK.

Does anyone know how to fix this issue? This issue is currently halting the release of my team's app since it fails Oculus's security vulnerability test.




Best answer by REM5 Studios 10 March 2022, 22:01

View original

2 replies

Userlevel 4
Badge +3



I am going to take this offline for security reasons as I will need more information on implementation. 




Userlevel 1
Badge +2

In case others encounter the same problem, I fixed the issue by removing the Amplitude Unity SDK, then re-implementing Amplitude via the HTTP API v2, using the UnityWebRequest built-in functionality. Now my app passes all security vulnerability checks!

The okhttp dependency that the Amplitude Unity SDK uses was likely causing the security vulnerability detected by Oculus.