Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:

SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).

This rule will raise an issue when a method named onReceivedSslError with first argument of type android.webkit.WebView is defined.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

Android (See also "How to address WebView SSL Error Handler alerts in your apps.")

package com.example.myapplication.rspec_5326;

import android.net.http.SslError;
import android.os.Build;
import android.support.annotation.RequiresApi;
import android.webkit.SslErrorHandler;
import android.webkit.WebView;
import android.webkit.WebViewClient;

import java.util.function.Function;

public class SSLTLSValidation extends WebViewClient {
    private final Function<SslError, Boolean> acceptSslError;

    SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
        this.acceptSslError = acceptSslError;
    }

    @RequiresApi(api = Build.VERSION_CODES.N)
    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
        if (acceptSslError.apply(error)) {
            handler.proceed();
        } else {
            handler.cancel();
        }
    }
}

See

Deprecated

This rule is deprecated; use {rule:java:S4423}, {rule:java:S4830}, {rule:java:S5527} instead.