I am creating an android web app using Webview
and Javascript
making addJavascriptInterface(true)
.
My App will content data(html) that will be loaded from an external site.
I worried about the cross-site-scripting XSS/security of my app as I am enabling addJavascriptInterface(true).
What are the things I should be taking care so that any malicious code should not run on my app ?
WebView is in common use in Android applications. Although default configuration is secure, developers tend to introduce changes in its configuration which may introduce security risks.
According to the latest records 70% of the Android phones have been found Vulnerable to the webview javascript vulnerability. WebView usage of JavaScript is the major concern in this vulnerability. If the application being loaded into WebView requires JavaScript support, it can be enabled by using the following line.
WebView is a web browser that can be built into an app, and represents the most widely used component of the Android ecosystem; it is also subject to the largest number of potential errors.
WebViews security concerns with JavaScript enabled for Android 4.3 and below. The primary vulnerabilities involved in the WebView component are Insecure Direct Object References, SQL Injection, and Cross-Site Scripting (XSS).
I found a good study from Syracuse University called Attacks on WebView in the Android System, which illustrates how using a WebView
with addJavascriptInterface(true)
can enable two kinds of attacks. One, from a malicious website that will now have access to your app via the phone services you assign to the interface (e.g. Contacts, Camera, etc.) or two, a malicious app can have access to a vulnerable website, by inserting code into its Javascript.
Basically the fix for app developers is to insure that in WebView
, no other URL other than that intended is allowed to be viewed in your WebView. For example, say you embed Facebook.com into your WebView
, you can write code to insure that if any other advertisement in Facebook is clicked, that the external browser will open instead of displaying in your WebView
. This is most common through iFrames... although the article goes more into depth about that.
Here is the example they present that insures no other URL is viewed in a WebView
other than one originally intended:
WebViewclient wvclient = New WebViewClient() {
// override the "shouldOverrideUrlLoading" hook.
public boolean shouldOverrideUrlLoading(WebView view,String url){
if(!url.startsWith("http://www.facebook.com")){
Intent i = new Intent("android,intent.action.VIEW",
Uri.parse(url));
startActivity(i);
}
}
// override the "onPageFinished" hook.
public void onPageFinished(WebView view, String url) { ...}
}
webView.setWebViewClient(wvclient);
It's a great study, and outlines several different ways of attacks. Worth the read!
There is vulnerability in webview older than 4.2 when you Enable javascript for it.
Use of enabling Javascript:
Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.
addJavascriptInterface (Object object, String name) method:
The addJavascriptInterface method injects a supplied Java object into WebView.
The object is injected into the JavaScript context of the main frame, using a supplied name and this allows the Java object’s methods to be accessed from JavaScript.
For applications running Android 4.1 or older, all public methods (including the inherited ones) can be accessed, so when a user’s installed application with addJavascriptInterface method loads an external webpage it can use WebView and javascript to call a java object (like a ‘Javascript pipeline’ and usage of reflection to invoke any other unregistered Java class) which allows attackers to call Android’s Java methods.
The fix:
For applications running Android 4.2 all public methods that are annotated with JavascriptInterface can be accessed from JavaScript.
So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript.
If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.
Reference
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With