SonarSource · antonioaversa · Feb 19, 2025 · Feb 19, 2025 · Feb 21, 2025 · Feb 21, 2025
diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc
@@ -27,6 +27,7 @@
 * libxml2
 // Java
 * Android
+* Android WebView
 * Apache Commons
 * Apache Commons
 * Apache Commons Email
@@ -47,7 +48,6 @@
 * Legacy Mongo Java API
 * OkHttp
 * Realm
-* Java Cryptography Extension
 * Apache HttpClient
 * Couchbase
 * SAX

diff --git a/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc b/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc
@@ -0,0 +1,44 @@
+== How to fix it in Android WebView
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+The certificate validation gets disabled by overriding the `onReceivedSslError` method of the `WebViewClient` class with an implementation that calls `SslErrorHandler.proceed()` unconditionally, and that never calls `SslErrorHandler.cancel()`.
+
+This means that a certificate initially rejected by the system will be accepted by the `WebViewClient`, regardless of its origin.
+
+=== Noncompliant code example
+
+[source,kotlin,diff-id=101,diff-type=noncompliant]
+----
+class MyWebViewClient : WebViewClient() {
+    override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) =
+        handler.proceed() // Noncompliant
+}
+----
+
+=== Compliant solution
+
+You need to implement a validation of the server certificate received in the `SslErrorHandler` object, calling `proceed` and `cancel` appropriately.
+
+[source,kotlin,diff-id=101,diff-type=compliant]
+----
+class MyWebViewClient : WebViewClient() {
+    override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) {
+        if (error.certificate.isServerCertificateValid()) {
+            handler.proceed()
+        } else {
+            handler.cancel()
+        }
+    }
+
+    private fun SslCertificate.isServerCertificateValid(): Boolean {
+        // Implement the server certificate validation logic here ...
+    }
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/validation.adoc[]
diff --git a/rules/S4830/kotlin/rule.adoc b/rules/S4830/kotlin/rule.adoc
@@ -10,11 +10,15 @@ include::../impact.adoc[]
 
 include::how-to-fix-it/java-cryptography-extension.adoc[]
 
+include::how-to-fix-it/android-webview.adoc[]
+
 == Resources
 
 include::../common/resources/standards-mobile.adoc[]
 
-* https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
+* CERT - https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
+* Google Support - https://support.google.com/faqs/answer/7071387?hl=en[How to address WebView SSL Error Handler alerts in your apps]
+* Android Documentation - https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)[WebViewClient.onReceivedSslError] method
 
 ifdef::env-github,rspecator-view[]