addJavascriptInterface exposes native methods to web content; on older WebViews it enables remote code execution.
How it's exploited
addJavascriptInterface exposes native methods to page JavaScript. If the WebView ever renders attacker-influenced content (http page, MITM, open redirect, ad), that script calls your bridge directly; pre-API-21 it was full RCE.
Why it matters
Web content escalates into native capability: file access, token theft, or arbitrary actions your bridge allows.
How to fix it
Only attach the bridge to WebViews that load exclusively your own HTTPS origins; verify with shouldOverrideUrlLoading.
Annotate the minimal method set with @JavascriptInterface and treat every argument as hostile input.
Prefer WebMessageListener/postMessage channels with origin allowlists on modern AndroidX WebKit.