Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities: * https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531] * https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524] * https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574] SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM). This rule will raise an issue when a method named ``++onReceivedSslError++`` with first argument of type ``++android.webkit.WebView++`` is defined. == Ask Yourself Whether * invalid SSL/TLS certificates are accepted automatically. * The user is asked to accept invalid SSL/TLS certificates. You are at risk if you answered yes to any of those questions. == Recommended Secure Coding Practices * Accept only trusted SSL/TLS certificates. * Do not ask users to accept unsafe connections as they are unlikely to make an informed security decision. == Sensitive Code Example Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."]) ---- package com.example.myapplication.rspec_5326; import android.net.http.SslError; import android.os.Build; import android.support.annotation.RequiresApi; import android.webkit.SslErrorHandler; import android.webkit.WebView; import android.webkit.WebViewClient; import java.util.function.Function; public class SSLTLSValidation extends WebViewClient { private final Function acceptSslError; SSLTLSValidation(Function acceptSslError) { this.acceptSslError = acceptSslError; } @RequiresApi(api = Build.VERSION_CODES.N) @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive if (acceptSslError.apply(error)) { handler.proceed(); } else { handler.cancel(); } } } ---- == See * https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure * https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration * https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Make sure that SSL/TLS connections are validated safely here ''' == Comments And Links (visible only on this page) === on 2 Apr 2019, 11:37:57 Nicolas Harraudeau wrote: We could define a vulnerability rule as many projects on Github have just ``++handler.proceed();++`` in ``++onReceivedSslError++``. But the usefulness of such a rule might be limited as it seems that https://support.google.com/faqs/answer/7071387?hl=en[Google validates the plugins]. We should first check if Google is able to detect every simple case. endif::env-github,rspecator-view[]