Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:

      SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).

      This rule will raise an issue when a method named onReceivedSslError with first argument of type android.webkit.WebView is defined.

      Sensitive Code Example

      Android (See also "How to address WebView SSL Error Handler alerts in your apps.")

      package com.example.myapplication.rspec_5326;
      
      import android.net.http.SslError;
      import android.os.Build;
      import android.support.annotation.RequiresApi;
      import android.webkit.SslErrorHandler;
      import android.webkit.WebView;
      import android.webkit.WebViewClient;
      
      import java.util.function.Function;
      
      public class SSLTLSValidation extends WebViewClient {
          private final Function<SslError, Boolean> acceptSslError;
      
          SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
              this.acceptSslError = acceptSslError;
          }
      
          @RequiresApi(api = Build.VERSION_CODES.N)
          @Override
          public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
              if (acceptSslError.apply(error)) {
                  handler.proceed();
              } else {
                  handler.cancel();
              }
          }
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: