Skip to content

Java: Add query for improper webview certificate validation #9663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Aug 5, 2022
Merged

Java: Add query for improper webview certificate validation #9663

merged 12 commits into from
Aug 5, 2022

Conversation

joefarebrother
Copy link
Contributor

This query finds implentations of WebViewClient.onRecievedSslError that unconditionaly call SslErrorHandler.proceed and thus accept all certificates.

@joefarebrother joefarebrother requested a review from a team as a code owner June 22, 2022 13:10
atorralba
atorralba reviewed Jun 22, 2022
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some quick comments, I'll do a more detailed review later.

atorralba
atorralba reviewed Jul 19, 2022
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go for a performance evaluation and LGTM run for FP ratio. But otherwise looks good to me, just added a minor suggestion.

@atorralba atorralba added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Jul 19, 2022
mchammer01
mchammer01 previously approved these changes Jul 22, 2022
View reviewed changes
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joefarebrother 👋🏻 - I carried out an editorial review and this LGTM ✨
Just a couple of clarifying comments.

java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
@@ -0,0 +1,18 @@
/**
* @name Android `WebView` that accepts all certificates
* @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, commenting here to check that machine-in-the-middle attack is a thing (I've only ever heard of man-in-the-middle attacks 🙊 ).

Copy link
Contributor Author

@joefarebrother joefarebrother Jul 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be man-in-the-middle, thanks
Edit In fact both names are accepted, but I'll go with man-in-the-middle as it's the more common name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought you used machine-in-the-middle as a gender-neutral term :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact I copied it from another file. But that reasoning makes sense; I'll keep it as machine then

java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.qhelp
<overview>
<p>
If the <code>onReceivedSslError</code> method of an Android <code>WebViewClient</code> always calls <code>proceed</code> on the given <code>SslErrorHandler</code>, it trusts any certificate.
This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as on the ql file (double-checking)

@joefarebrother joefarebrother force-pushed the android-certificate-validation branch from 0c9dfb0 to dd83c17 Compare August 5, 2022 11:56
@joefarebrother
Copy link
Contributor Author

Is this ready to merge? @atorralba

atorralba
atorralba approved these changes Aug 5, 2022
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code and LGTM results look good to me. If DCA is happy, I think we can merge! :)

@joefarebrother joefarebrother merged commit d2007bc into github:main Aug 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mchammer01 mchammer01 mchammer01 left review comments

+1 more reviewer

@atorralba atorralba atorralba approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
documentation Java ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joefarebrother @atorralba @mchammer01