The WebView com.delphiworlds.kastri.DWWebViewClient does not check TLS certificate validity correctly #268
Assignees
Labels
bug
Something isn't working
Comments
|
Pushed a fix to the Java source and rebuilt dw-kastri-base-3.0.0.jar |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We passed our app that contains code from kastri through an online tool for static app analysis (https://appsweep.guardsquare.com) and the above issue was identified alongside the details below:
Your app contains the custom WebView com.delphiworlds.kastri.DWWebViewClient which incorrectly implements TLS error handling. The overridden onReceivedSslError method does not contain any call to handler.cancel().
Therefore, when this WebView is shown, invalid TLS certificates will be accepted.
An attacker who is able to intercept the connection (e.g. with a man-in-the-middle (MitM) attack), can eavesdrop and modify the communication arbitrarily. At worst, if the WebView receives code from your backend, an attacker can modify it and gain remote code execution on the users’ device.
The text was updated successfully, but these errors were encountered: