(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
For API level JELLY_BEAN or below, allowing an app to use the
android.webkit.WebView class. Sensitive data and app control should not be exposed to scripting attacks.
Noncompliant Code Example
This noncompliant code example shows an application that calls the
Compliant Solution #1
Compliant code could refrain from calling the
Compliant Solution #2
Another compliant solution is to specify in the app's manifest that the app is only for API levels JELLY_BEAN_MR1 and above. For these API levels, only public methods that are annotated with
Android Version Applicability
Applies to Android API versions 16 (JELLY_BEAN) and below.
Allowing an app to provide access to the
WebView which could contain untrusted content may leave it open to scripting attacks that could corrupt the host, for API level JELLY_BEAN and below.
Automatic detection of a call to the
WebView is straightforward. Similarly, it is straightforward to automatically ensure that the minimum API is set to JELLY_BEAN_MR1 in the app manifest. Automatic determination of whether the
WebView could contain untrusted content may be impossible for some applications.
|[The CERT Oracle Secure Coding Standard for Java]
|SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields