...
For API level JELLY_BEAN or below, allowing an app to use the addJavascriptInterface method with untrusted content in a WebView leaves WebView leaves the app vulnerable to scripting attacks using reflection to access public methods from JavaScript. The method addJavascriptInterface(Object, String) is called from the android.webkit.WebView class. Sensitive data and app control should not be exposed to a scripting attack.
...
Another compliant solution is to specify in the app's manifest that the app is only for API levels JELLY_BEAN_MR1 and above. For these API levels, only public methods that are annotated with JavascriptInterface can be accessed from JavaScript. API level 17 is JELLY_BEAN_MR1.
...
Allowing an app to provide access to the addJavascriptInterface to the addJavascriptInterface method in a WebView which could contain untrusted content may leave it open to scripting attacks that could corrupt the host, for API level JELLY_BEAN and below.
...
Automatic detection of a call to the addJavascriptInterface() method in a WebView is WebView is straightforward. Automatic detection of if the minimum API is set to JELLY_BEAN_MR1 in the app manifest is straightforward. Determination of whether the WebView could contain untrusted content could be impossible to do in an automated way for some applications.
...