Android App using Webview/javascript. what can be security concern?

Amit sinha picture Amit sinha · Apr 1, 2013 · Viewed 11.8k times · Source

I am creating an android web app using Webview and Javascript making addJavascriptInterface(true).

My App will content data(html) that will be loaded from an external site.

I worried about the cross-site-scripting XSS/security of my app as I am enabling addJavascriptInterface(true).

What are the things I should be taking care so that any malicious code should not run on my app ?

Answer

Azurespot picture Azurespot · Feb 20, 2015

I found a good study from Syracuse University called Attacks on WebView in the Android System, which illustrates how using a WebView with addJavascriptInterface(true) can enable two kinds of attacks. One, from a malicious website that will now have access to your app via the phone services you assign to the interface (e.g. Contacts, Camera, etc.) or two, a malicious app can have access to a vulnerable website, by inserting code into its Javascript.

Basically the fix for app developers is to insure that in WebView, no other URL other than that intended is allowed to be viewed in your WebView. For example, say you embed Facebook.com into your WebView, you can write code to insure that if any other advertisement in Facebook is clicked, that the external browser will open instead of displaying in your WebView. This is most common through iFrames... although the article goes more into depth about that.

Here is the example they present that insures no other URL is viewed in a WebView other than one originally intended:

WebViewclient wvclient = New WebViewClient() {
  // override the "shouldOverrideUrlLoading" hook.
  public boolean shouldOverrideUrlLoading(WebView view,String url){
    if(!url.startsWith("http://www.facebook.com")){
    Intent i = new Intent("android,intent.action.VIEW",
    Uri.parse(url));
    startActivity(i);
  }
}
// override the "onPageFinished" hook.
public void onPageFinished(WebView view, String url) { ...}
}
webView.setWebViewClient(wvclient);

It's a great study, and outlines several different ways of attacks. Worth the read!