The app is using SslErrorHandler.proceed(), an unsafe implementation of WebViewClient.onReceivedSslError that ignores all SSL certificate validation errors and leaves the app vulnerable to man-in-the-middle attacks.
Its use can allow an attacker to modify the content of the affected WebView, steal sensitive transmitted data, and execute code inside the app. The use of SslErrorHandler.proceed() typically results in a security alert from Google that prevents the app from being uploaded to the Play Store.
Steps to Reproduce
Verify Webview code contains proper error handling measures as described in the Recommended Fix section.
The NowSecure automated test for this vulnerability identifies instances where the application proceeds past SSL errors received by the WebViewClient.
Business Impact
Applications that implement improper error handling with Webview network security controls can have network communications intercepted.
A Webview is an in-app browser and is used to serve arbitrary content to users in the same way that a browser would. This makes vulnerabilities in WebViews especially broad as these issues can not only affect the app itself, but also create issues for the content loaded by the app's functionality.
An attacker who is able to exploit this vulnerability may use arbitrary code as a vector for follow-on attacks that lead to loss or change of sensitive user information as well as displaying malicious or offensive content in the app.
Remediation Resources
Recommended Fix
Unsafe network error handling in Android WebViews can allow an app to make an insecure connection. Apps should never allow users to bypass network security controls or have the app written in such a way that allows the app to create connections that ignore security alerts.
These high risk scenarios can be avoided by properly implementing the call SslErrorHandler.cancel() to cancel the load when a SSL error is received by the WebviewClient.
Code Samples
Good Code Example (.java)
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error){
String message = "";
switch(error.getPrimaryError()){
case SslError.SSL_UNTRUSTED:
message = "The certificate is not trusted";
Log.e("Ssl Certificate error found: "+message);
handler.cancel();
break;
//... do this for the SsLError constants you would like to check for
}
}
// The SslError constants are up to you to decide if the server you are connecting to meets your expectations or does not.
// We simply log the message as an error for reference and do not allow the user to proceed.
Good Code Example (.kotlin)
fun onReceivedSslError(view: WebView?, handler: SslErrorHandler, error: SslError) {
var message: String = ""
when (error.primaryError) {
SslError.SSL_UNTRUSTED -> {
message = "The certificate is not trusted"
Log.e("Ssl Certificate error found: $message")
handler.cancel()
}
//... do this for the SsLError constants you would like to check for
}
}
// The SslError constants are up to you to decide if the server you are connecting to meets your expectations or does not.
// We simply log the message as an error for reference and do not allow the user to proceed.
Finding Description
The app is using
SslErrorHandler.proceed(), an unsafe implementation ofWebViewClient.onReceivedSslErrorthat ignores all SSL certificate validation errors and leaves the app vulnerable to man-in-the-middle attacks. Its use can allow an attacker to modify the content of the affected WebView, steal sensitive transmitted data, and execute code inside the app. The use ofSslErrorHandler.proceed()typically results in a security alert from Google that prevents the app from being uploaded to the Play Store.Steps to Reproduce
Verify Webview code contains proper error handling measures as described in the Recommended Fix section. The NowSecure automated test for this vulnerability identifies instances where the application proceeds past SSL errors received by the WebViewClient.
Business Impact
Applications that implement improper error handling with Webview network security controls can have network communications intercepted. A Webview is an in-app browser and is used to serve arbitrary content to users in the same way that a browser would. This makes vulnerabilities in WebViews especially broad as these issues can not only affect the app itself, but also create issues for the content loaded by the app's functionality. An attacker who is able to exploit this vulnerability may use arbitrary code as a vector for follow-on attacks that lead to loss or change of sensitive user information as well as displaying malicious or offensive content in the app.
Remediation Resources
Recommended Fix
Unsafe network error handling in Android WebViews can allow an app to make an insecure connection. Apps should never allow users to bypass network security controls or have the app written in such a way that allows the app to create connections that ignore security alerts. These high risk scenarios can be avoided by properly implementing the call
SslErrorHandler.cancel()to cancel the load when a SSL error is received by the WebviewClient.Code Samples
Good Code Example (.java)
Good Code Example (.kotlin)
Additional Guidance
Risk and Regulatory Information
Severity: medium CVSS: 5.9
Application
See more detail in the NowSecure Report