Java Webview Ignore Ssl Errors
Description
Detects insecure SSL certificate error handling in Android WebView implementations where certificate validation errors are ignored or bypassed. This creates a significant security risk by allowing man-in-the-middle attacks and connection to servers with invalid SSL certificates.
Detection Strategy
• Checks if android.webkit.WebViewClient is imported in the source code
• Identifies classes that inherit from WebViewClient
• Looks for overridden onReceivedSslError method implementations in these classes
• Reports a vulnerability when the overridden method implementation ignores or bypasses SSL certificate errors instead of properly handling them
Vulnerable code example
import android.webkit.WebView;
import android.webkit.WebViewClient;
import android.webkit.SslErrorHandler;
import android.net.http.SslError;
public class VulnerableWebViewClient extends WebViewClient {
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {...✅ Secure code example
import android.webkit.WebView;
import android.webkit.WebViewClient;
import android.webkit.SslErrorHandler;
import android.net.http.SslError;
import android.util.Log;
public class SecureWebViewClient extends WebViewClient {
@Override...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.