diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc index c3244a7b41..d3d0ea4b62 100644 --- a/docs/header_names/allowed_framework_names.adoc +++ b/docs/header_names/allowed_framework_names.adoc @@ -27,6 +27,7 @@ * libxml2 // Java * Android +* Android WebView * Apache Commons * Apache Commons * Apache Commons Email @@ -48,7 +49,6 @@ * Legacy Mongo Java API * OkHttp * Realm -* Java Cryptography Extension * Apache HttpClient * Couchbase * SAX diff --git a/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc b/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc new file mode 100644 index 0000000000..5fa02c35aa --- /dev/null +++ b/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc @@ -0,0 +1,44 @@ +== How to fix it in Android WebView + +=== Code examples + +include::../../common/fix/code-rationale.adoc[] + +The certificate validation gets disabled by overriding the `onReceivedSslError` method of the `WebViewClient` class with an implementation that calls `SslErrorHandler.proceed()` unconditionally, and that never calls `SslErrorHandler.cancel()`. + +This means that a certificate initially rejected by the system will be accepted by the `WebViewClient`, regardless of its origin. + +==== Noncompliant code example + +[source,kotlin,diff-id=101,diff-type=noncompliant] +---- +class MyWebViewClient : WebViewClient() { + override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) = + handler.proceed() // Noncompliant +} +---- + +==== Compliant solution + +You need to implement a validation of the server certificate received in the `SslErrorHandler` object, calling `proceed` and `cancel` appropriately. + +[source,kotlin,diff-id=101,diff-type=compliant] +---- +class MyWebViewClient : WebViewClient() { + override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) { + if (error.certificate.isServerCertificateValid()) { + handler.proceed() + } else { + handler.cancel() + } + } + + private fun SslCertificate.isServerCertificateValid(): Boolean { + // Implement the server certificate validation logic here ... + } +} +---- + +=== How does this work? + +include::../../common/fix/validation.adoc[] diff --git a/rules/S4830/kotlin/rule.adoc b/rules/S4830/kotlin/rule.adoc index b0a0e191d5..df25f4c38e 100644 --- a/rules/S4830/kotlin/rule.adoc +++ b/rules/S4830/kotlin/rule.adoc @@ -10,11 +10,15 @@ include::../impact.adoc[] include::how-to-fix-it/java-cryptography-extension.adoc[] +include::how-to-fix-it/android-webview.adoc[] + == Resources include::../common/resources/standards-mobile.adoc[] -* https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms +* CERT - https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms +* Google Support - https://support.google.com/faqs/answer/7071387?hl=en[How to address WebView SSL Error Handler alerts in your apps] +* Android Documentation - https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)[WebViewClient.onReceivedSslError] method ifdef::env-github,rspecator-view[]