...
For API level JELLY_BEAN or below, allowing an app to use the addJavascriptInterface method with untrusted content in a WebView leaves the app vulnerable to scripting attacks using reflection to access public methods from JavaScript. Untrusted content examples include content from any HTTP URL (as opposed to HTTPS) and user-provided content. The method addJavascriptInterface(Object, String) is called from the android.webkit.WebView class. Sensitive data and app control should not be exposed to a scripting attackattacks.
Noncompliant Code Example
...
Automatic detection of a call to the addJavascriptInterface() method in a WebView is straightforward. Automatic detection of if Similarly, it is straightforward to automatically ensure that the minimum API is set to JELLY_BEAN_MR1 in the app manifest is straightforward. Determination Automatic determination of whether the WebView could contain untrusted content could be impossible to do in an automated way may be impossible for some applications.
Related Guidelines
...