Skip to content
Last updated: June 22, 2025

MASTG-TEST-0284: Incorrect SSL Error Handling in WebViews

Overview

This test evaluates whether an Android app has WebViews that ignore SSL/TLS certificate errors by overriding the onReceivedSslError(...) method without proper validation.

The method onReceivedSslError(...) is triggered when a WebView encounters an SSL certificate error while loading a page. By default, the WebView cancels the request to protect users from insecure connections. Overriding this method and calling SslErrorHandler.proceed() without proper validation disables these protection.

This effectively bypasses SSL certificate checks in the WebView, exposing the app to MITM attacks using invalid, expired, or self-signed certificates.

Steps

  1. Reverse engineer the app ( Decompiling Java Code).
  2. Inspect the source code and run a static analysis ( Static Analysis on Android) tool and look for all usages of onReceivedSslError(...).

Observation

The output contains a list of locations where onReceivedSslError(...) that includes a proceed() is used without exception handling that properly handles SSL errors.

Evaluation

The test fails if onReceivedSslError(...) is overridden and certificate errors are ignored without proper validation or user involvement.

This includes cases such as:

  • Unconditionally accepting SSL errors: calling proceed() without checking the nature of the error.
  • Relying only on primary error code: using getPrimaryError() for decision-making, such as proceeding if the primary error is not SSL_UNTRUSTED, which may overlook additional errors in the chain.
  • Suppressing exceptions silently: catching exceptions in onReceivedSslError(...) without calling cancel(), which allows the connection to continue silently.

According to official Android guidance, apps should never call proceed() in response to SSL errors. The correct behavior is to cancel the request to protect users from potentially insecure connections. User prompts are also discouraged, as users cannot reliably evaluate SSL issues.

When testing using automated tools, you will need to inspect all the reported locations in the reverse-engineered code to confirm the incorrect implementation ( Reviewing Decompiled Java Code).