[BUG] [P1] Google Play Console reports a security violation related to JavaScript interface injection in the Stripe Android SDK 3DS Challenge flow. #12227
Description
Summary
Google Play Console reports a security violation related to JavaScript interface injection in the Stripe Android SDK 3DS Challenge flow.
The issue is detected via static code analysis and points to the following class:
com.stripe.android.challenge.confirmation.IntentConfirmationChallengeWebView.a
This is flagged as a violation of the Device and Network Abuse policy, specifically related to unsafe WebView JavaScript interfaces.
Affected SDK Version
- Stripe Android SDK: 22.1.1
Play Console Warning (excerpt)
We found that your app contains a security vulnerability that could lead to user data exposure or device compromise.
Specifically, your app's WebView is vulnerable to JavaScript interface injection.
Code reference:
com.stripe.android.challenge.confirmation.IntentConfirmationChallengeWebView.a
payments-core/src/main/java/com/stripe/android/challenge/confirmation/IntentConfirmationChallengeWebView.kt
Context
- The issue occurs during the 3DS Challenge flow, which uses a WebView to load bank / ACS challenge pages.
- The flagged code is not part of the application’s own WebView implementation.
- The application itself does not call
addJavascriptInterfacedirectly. - The finding appears to originate from the Stripe SDK’s internal Challenge WebView implementation.
Questions
- Is Stripe aware that SDK version 22.1.1 is flagged by Google Play’s security scanner due to JavaScript interface usage in the 3DS Challenge WebView?
- Has this behavior been changed, mitigated, or refactored in later SDK versions?
Expected Outcome
- Confirmation whether upgrading the Stripe Android SDK resolves the Play Console security warning.
- Guidance on which SDK version is compliant with current Google Play WebView security requirements.
Thank you for your help.