Skip to main content
Solved

Security Vulnerability: "Unsafe HostnameVerifier Defined" - How to fix?

  • February 10, 2022
  • 2 replies
  • 549 views
REM5 Studios
Well-Versed
Forum|alt.badge.img+2

Hello!

 

I am using the Amplitude Unity SDK (latest version 2.4.0) for an Android project - specifically for Oculus Quest 2 VR. I'm getting a security vulnerability failure in the Oculus dashboard when I upload my build. It says "Unsafe HostnameVerifier Defined" (see image below). In Visual Studio I searched through my entire solution in C# and I don't see any mention of HostnameVerifier, so I don't understand how to fix this issue. My assumption is that the issue lies in a 3rd party SDK that accesses the internet, aka the Amplitude Unity SDK.


Does anyone know how to fix this issue? This issue is currently halting the release of my team's app since it fails Oculus's security vulnerability test.

 

 

Best answer by REM5 Studios

In case others encounter the same problem, I fixed the issue by removing the Amplitude Unity SDK, then re-implementing Amplitude via the HTTP API v2, using the UnityWebRequest built-in functionality. Now my app passes all security vulnerability checks!

The okhttp dependency that the Amplitude Unity SDK uses was likely causing the security vulnerability detected by Oculus.

View original
    Did this topic help you find an answer to your question?

    2 replies

    sydney.koh
    Team Member
    Forum|alt.badge.img+8
    • sydney.koh
    • Amplitude Support
    • 127 replies
    • February 15, 2022

    Hi!

     

    I am going to take this offline for security reasons as I will need more information on implementation. 

     

    Best,

    Sydney

    REM5 Studios
    1 person likes this
    • REM5 Studios
      REM5 Studios
    REM5 Studios
    Well-Versed
    Forum|alt.badge.img+2
    • REM5 Studios
    • Author
    • Well-Versed
    • 15 replies
    • Answer
    • March 10, 2022

    In case others encounter the same problem, I fixed the issue by removing the Amplitude Unity SDK, then re-implementing Amplitude via the HTTP API v2, using the UnityWebRequest built-in functionality. Now my app passes all security vulnerability checks!

    The okhttp dependency that the Amplitude Unity SDK uses was likely causing the security vulnerability detected by Oculus.

    Reply


    Helpful Members this Week

    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings