From the paper, it appears that Spinner works by using censys.io to search for other websites that have the same certificate chain as the target domain (only differing in the leaf certificate), then redirects the app in question to that alternative website. It then analyzes the encrypted network traffic to see if the app completes the SSL handshake or if it bails while establishing. If it completes the SSL handshake then it must not have performed hostname verification.
