Fluid Attacks Database

Description

Detects when Android WebView components load content over insecure HTTP URLs instead of HTTPS. This creates a security risk where attackers can intercept or modify web content through man-in-the-middle attacks, potentially compromising sensitive user data or enabling malicious script injection.

Weakness:

372 - Use of an insecure channel - HTTP

Category: Information Collection

Detection Strategy

• Check if the Android WebView class is imported in the code

• Identify WebView.loadUrl() method calls

• Examine the URL parameter passed to loadUrl() to check if it uses the insecure 'http://' scheme

• Report a vulnerability when HTTP URLs are loaded in WebView instead of secure HTTPS URLs

Vulnerable code example

import android.webkit.WebView;

public class VulnerableWebView {
    public void setupWebView() {
        WebView webView = new WebView(context);
        webView.getSettings().setJavaScriptEnabled(true);  // Dangerous: Enables JavaScript execution
        webView.loadUrl("http://example.com");  // Vulnerable: Uses insecure HTTP protocol
    }...

✅ Secure code example

import android.webkit.WebView;
import android.webkit.WebViewClient;
import android.webkit.WebSettings;

public class SecureWebView {
    public void setupWebView(Context context) {
        WebView webView = new WebView(context);
        ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.