...
For API level JELLY_BEAN or below, allowing an app to use the addJavascriptInterface method with untrusted content in a WebView leaves the app vulnerable to scripting attacks using reflection to access public methods from JavaScript. The method addJavascriptInterface(Object, String) is called from the android.webkit.WebView class. Sensitive data and app control should not be exposed to a scripting attack. Also, code received via such an interface cannot be trusted and it could corrupt the network or server.
Noncompliant Code Example
...