Unsafe implementation of the HostnameVerifier interface

[rjaylwar]

Google now is blocking updates to apps that include libraries that have "unsafe" HostnameVerifier implementations. They seem to pattern match the code so always returning true even from a HostnameVerifier that is only used in a safe context the fact that it always returns true seems to trip the filter.

https://support.google.com/faqs/answer/7188426

To properly handle hostname verification, change the implementation of your custom HostnameVerifier interface to perform the following actions:

• If you are using the HostnameVerifier interface, change the implementation of the verify method to return false whenever the hostname of the server does not meet your expectations.
• If you are using the X509HostnameVerifier interface, change the implementation of the verify methods (variants 1, 2, 3) to raise an SSLException whenever the hostname of the server does not meet your expectations. Ensure that the Exceptions raised within your verify implementation are not caught and suppressed within the method. Suppressing Exceptions in this manner would cause verify to exit normally, leading the app to trust all hostnames.

package com.deezer.sdk.network.b;

...

public class Blues {
  
  ...
  
  private static final HostnameVerifier bagpipes = new HostnameVerifier() {
      public final boolean verify(String hostname, SSLSession session) {
          return true;
      }
  };

  ...

  private static HttpURLConnection accordion(String var0, String var1, boolean var2) throws IOException {
      Object var3;
      if (var2) {
          ((HttpsURLConnection)(var3 = (HttpsURLConnection)(new URL(var0)).openConnection())).setHostnameVerifier(bagpipes);
      } else {
          var3 = (HttpURLConnection)(new URL(var0)).openConnection();
      }

      ((HttpURLConnection)var3).setRequestProperty("User-Agent", var1);
      return (HttpURLConnection)var3;
  }

  ...

}