Android - Code Pathfinder Atlas

Browse our specialized collection of Android security rules designed to help you write better, more secure Android applications.

Test Locally

To run these rules against your Android codebase:

codepathfinder ci --project /src/project --ruleset cpf/android

Rules (5)

WebView JavaScript Enabled

Rule ID: java/android/webview-javascript-enabled
Severity: Medium | CWE: 079
Enabling JavaScript execution in a WebView can result in cross-site scripting attacks.

// ❌ Vulnerable: JavaScript enabled without safeguards
WebView webView = new WebView(context);
webView.getSettings().setJavaScriptEnabled(true);

// ✅ Safe: JavaScript disabled by default
WebView webView = new WebView(context);
// JavaScript remains disabled
webView.loadUrl("https://trusted-domain.com");

WebView JavaScript Interface

Rule ID: java/android/webview-javascript-interface
Severity: Medium | CWE: 079
Enabling addJavascriptInterface exposes java methods to JavaScript.

// ❌ Vulnerable: Exposing Java interface to JavaScript
webView.addJavascriptInterface(new JavaScriptInterface(), "Android");

// ✅ Safe: Using modern API methods
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
  webView.evaluateJavascript("javascript:processData()", null);
}

WebView Content Access

Rule ID: java/android/webview-set-allow-content-access
Severity: Medium | CWE: 079
Enabling setAllowContentAccess enables content:// access from webpages.

// ❌ Vulnerable: Enabling content access
webView.getSettings().setAllowContentAccess(true);

// ✅ Safe: Content access disabled
WebView webView = new WebView(context);
webView.getSettings().setAllowContentAccess(false);
// Only load trusted content

WebView File Access

Rule ID: java/android/webview-set-allow-file-access
Severity: Medium | CWE: 079
Enabling setAllowFileAccess enables webview access to file:/// URLs.

// ❌ Vulnerable: Enabling file access
webView.getSettings().setAllowFileAccess(true);

// ✅ Safe: File access disabled
WebView webView = new WebView(context);
webView.getSettings().setAllowFileAccess(false);
// Use content providers for controlled file access

WebView File URL Access

Rule ID: java/android/webview-set-allow-file-access-from-file-urls
Severity: Medium | CWE: 079
Enabling setAllowFileAccessFromFileURLs leaks sandbox access to file:/// URLs.

// ❌ Vulnerable: Enabling file URL access
webView.getSettings().setAllowFileAccessFromFileURLs(true);

// ✅ Safe: File URL access disabled
WebView webView = new WebView(context);
webView.getSettings().setAllowFileAccessFromFileURLs(false);
// Implement proper file access controls

For more information on using Code PathFinder with Android, see our documentation.