Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:
SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).
This rule will raise an issue when a method named onReceivedSslError
with first argument of type android.webkit.WebView
is defined.
You are at risk if you answered yes to any of those questions.
Android (See also "How to address WebView SSL Error Handler alerts in your apps.")
package com.example.myapplication.rspec_5326; import android.net.http.SslError; import android.os.Build; import android.support.annotation.RequiresApi; import android.webkit.SslErrorHandler; import android.webkit.WebView; import android.webkit.WebViewClient; import java.util.function.Function; public class SSLTLSValidation extends WebViewClient { private final Function<SslError, Boolean> acceptSslError; SSLTLSValidation(Function<SslError, Boolean> acceptSslError) { this.acceptSslError = acceptSslError; } @RequiresApi(api = Build.VERSION_CODES.N) @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive if (acceptSslError.apply(error)) { handler.proceed(); } else { handler.cancel(); } } }
This rule is deprecated; use {rule:java:S4423}, {rule:java:S4830}, {rule:java:S5527} instead.