Android WebView Based Vulnerabilities

Android WebView Based Vulnerabilities

Kailesh Manoharan Kailesh Manoharan

Kailesh Manoharan

Published Feb 14, 2018
+ Follow

WebViews are used in android applications to load content and HTML pages within the application. Due to this functionality the implementation of WebView it must be secure in order not to introduce the application to great risk.

1.    Loading Clear-Text Content:

If WebView is allowing to load Clear-Text Content from the Internet then it would be open to various forms of attack such as MiTM.

Sample snippets in code:

myWebView.loadUrl("http://www.droidsec.org/tests/addjsif/")

2.    SSL Error Handling:

The code below instructs the WebView client to proceed when an SSL error occur. This means that the application is vulnerable to MiTM attacks as it could allow an attacker to read or modify content that is displayed to the user since any certificate would be accepted by the application.

Sample snippets in code:

@Override

public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error)

{

handler.proceed();

}

3.    JavaScript Enabled:

Allowing JavaScript content to be executed within the application via WebView might give the opportunity to an attacker to execute arbitrary JavaScript code in order to perform malicious actions. This settings allow WebView to execute JavaScript code.

Sample snippets in code:

WebSettings webSettings = myWebView.getSettings();

webSettings.setJavaScriptEnabled(true);

The "JavascriptInterface" function allows bridging between JavaScript code and the native Java code. This means that JavaScript code can access and inject Java objects and Java code to be called by JavaScript.

4.    Accessing Local Resources:

If the WebView is allowing to access content from other applications that exist on the same device then it could be possible for an attacker to create a malicious html file that could be injected inside the target application through the use "file:scheme". In order for this malicious file to be loaded needs to have WORLD_READABLE permissions.

Mitigation: (Local Resources):

Main solution for WebView not to access sensitive local resources through file scheme:

Any URI received via an intent from outside a trust boundary should be validated before rendering it with WebView. For example as code.

String intentUrl = getIntent().getStringExtra("http://example.com");

String localUrl = "about:blank";

if (!intentUrl.startsWith("file:"))

{

loadUrl = intentUrl;

}

WebView and WebView enabled vulnerable methods:

Vulnerable methods when WebView is in place:

setAllowContentAccess()

setAllowFileAccess()

setAllowFileAccessFromFileURLs()

setAllowUniversalAccessFromFileURLs()

setJavaScriptEnabled()

setPluginState()

To view or add a comment, sign in

More articles by Kailesh Manoharan

  • Types of XML Parser's XXE Vulnerability Remediation
    Jun 22, 2021

    Types of XML Parser's XXE Vulnerability Remediation

    Java API for XML Processing (JAXP) & Xerces2 Java XML Parser (Based on JAXP 1.4): It is recommended to disable access…

    2 Comments
  • Android Deobfuscation - Part 2
    Feb 14, 2018

    Android Deobfuscation - Part 2

    This is the second half of the previous article Android Deobfuscation - Part 1. JavaDeObfuscator (JDO): This tool…

  • Android Deobfuscation - Part 1
    Feb 14, 2018

    Android Deobfuscation - Part 1

    Deobfuscating Code of Android applications can be done using various tools such as: § Simplify § JavaDeObfuscator JDO §…

Others also viewed

Explore content categories