Remediation for JavaScript Interface Injection Vulnerability

Question

I received a warning from Google Play Console that refers me to this page because I used JavaScript Interface in my app and suggest two options to solve the problem .

Option 1 tells :

Ensure that there are no objects added to the JavaScript interface of any WebView that loads untrusted web content. You can do this in two ways:

Ensure that no objects are ever added to the JavaScript interface via calls to addJavascriptInterface.

Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView.

but I can't understand what google exactly says specially on :

Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView

can someone tell me more explanation ?

Answer 1

You can resolve this issue in following ways:

1. If your website supports HTTPS, use "https://" prefix in loadUrl method.
2. You can set android:usesCleartextTraffic to false in your Manifest or set a Network Security Config that disallows HTTP traffic. It also means that your website should run on HTTPS.

Now, coming to your question about "Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView" : It mean that your app should remove (or disable) JavaScriptInterface whenever there is any non HTTPS URL is loaded within the WebView.

After doing any of these, you need to update APK on Play Console.

Conclusion is that if you want to use JavaScriptInterface, better use HTTPS on your website. If you use HTTP, JavaScriptInterface won't be allowed by Google Play.