rspec/rules/S5326/java/rule.adoc

Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:

* https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531]
* https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524]
* https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574]

SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to https://www.owasp.org/index.php/Man-in-the-middle_attack[Man-in-the-middle attacks (MITM)].

This rule will raise an issue when a method named <code>onReceivedSslError</code> with first argument of type <code>android.webkit.WebView</code> is defined.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."])

----
package com.example.myapplication.rspec_5326;

import android.net.http.SslError;
import android.os.Build;
import android.support.annotation.RequiresApi;
import android.webkit.SslErrorHandler;
import android.webkit.WebView;
import android.webkit.WebViewClient;

import java.util.function.Function;

public class SSLTLSValidation extends WebViewClient {
    private final Function<SslError, Boolean> acceptSslError;

    SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
        this.acceptSslError = acceptSslError;
    }

    @RequiresApi(api = Build.VERSION_CODES.N)
    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
        if (acceptSslError.apply(error)) {
            handler.proceed();
        } else {
            handler.cancel();
        }
    }
}
----

include::../see.adoc[]