Qark security scan - MitM Attack possible?

I’ve been using the smack-android library in production successfully for almost a year now. Thank you.

Recently I scanned my apk with the free linkedin library, qark.

GitHub - linkedin/qark: Tool to look for several security related Android application vulnerabilities

Here’s the result:

WARNING - Instance of checkServerTrusted, with no body found in: /…/classes_dex2jar/org/jivesoftware/smack/util/ This means this application is likely vulnerable to Man-In-The-Middle attacks. This can be confirmed using the free version of Burpsuite. Simply set the Android device’s proxy to use Burpsuite via the network settings, but DO NOT install the Portswigger CA certificate on the device. If you still see traffic in the proxy, the app is vulnerable. Note: You need to ensure you exercise this code path. If you are unsure, make sure you click through each part of the application which makes network requests. You may need to toggle the proxy on/off to get past sections that do validate certificates properly in order to reach the vulnerable code. This proves that it will accept certificates from any CA. You should always validate your configuration by visiting an HTTPS site in the native browser and verifying you receive a certificate warning. For details, please see:

Here’s my connection implementation:

builder = XMPPTCPConnectionConfiguration.builder();





builder.setHostnameVerifier(new StrictHostnameVerifier());

connection = new XMPPTCPConnection(;


connection.login(loginUser, passwordUser);

It seems I need to override the TLSUtils.AcceptAllTrustManager but I’m really not sure what I need to do.

Any help is much appreciated.

Smack will connect to every host if this implementation of TLSUtils is used. I have no idea whether this is disabled, the default or whether one can specify a class which validates the certificate before connecting.

Smack/ at master · igniterealtime/Smack · GitHub


It seems I need to override the TLSUtils.AcceptAllTrustManager but I’m really not sure what I need to do.

No. If you do not use the methods in TLSUtils that are explicitly marked as “**invalidates all security guarantees provided by TLS”, **then you are fine. See e.g. TLSUtils (Smack 4.1.6 API)