I am creating an android web app using Webview
and Javascript
making addJavascriptInterface(true)
.
My App will content data(html) that will be loaded from an external site.
I worried about the cross-site-scripting XSS/security of my app as I am enabling addJavascriptInterface(true).
What are the things I should be taking care so that any malicious code should not run on my app ?
I found a good study from Syracuse University called Attacks on WebView in the Android System, which illustrates how using a WebView
with addJavascriptInterface(true)
can enable two kinds of attacks. One, from a malicious website that will now have access to your app via the phone services you assign to the interface (e.g. Contacts, Camera, etc.) or two, a malicious app can have access to a vulnerable website, by inserting code into its Javascript.
Basically the fix for app developers is to insure that in WebView
, no other URL other than that intended is allowed to be viewed in your WebView. For example, say you embed Facebook.com into your WebView
, you can write code to insure that if any other advertisement in Facebook is clicked, that the external browser will open instead of displaying in your WebView
. This is most common through iFrames... although the article goes more into depth about that.
Here is the example they present that insures no other URL is viewed in a WebView
other than one originally intended:
WebViewclient wvclient = New WebViewClient() {
// override the "shouldOverrideUrlLoading" hook.
public boolean shouldOverrideUrlLoading(WebView view,String url){
if(!url.startsWith("http://www.facebook.com")){
Intent i = new Intent("android,intent.action.VIEW",
Uri.parse(url));
startActivity(i);
}
}
// override the "onPageFinished" hook.
public void onPageFinished(WebView view, String url) { ...}
}
webView.setWebViewClient(wvclient);
It's a great study, and outlines several different ways of attacks. Worth the read!