I am creating an android web app using Webview and enabling Javascript through addJavascriptInterface(true).
My App will contain html data that will be loaded from an external site.
I am worried about the cross-site-scripting XSS/security of my app as I am enabling addJavascriptInterface(true).
What are the things I should be taking care of so that any malicious code can't run on my app?
I found a good study from Syracuse University called Attacks on WebView in the Android System, which illustrates how using a WebView with addJavascriptInterface(true) can enable two kinds of attacks. One, from a malicious website that will now have access to your app via the phone services you assign to the interface (e.g. Contacts, Camera, etc.) or two, a malicious app can have access to a vulnerable website, by inserting code into its Javascript.
Basically the fix for app developers is to insure that in WebView, no other URL other than that intended is allowed to be viewed in your WebView. For example, say you embed Facebook.com into your WebView, you can write code to insure that if any other advertisement in Facebook is clicked, that the external browser will open instead of displaying in your WebView. This is most common through iFrames... although the article goes more into depth about that.
Here is the example they present that insures no other URL is viewed in a WebView other than one originally intended:
WebViewclient wvclient = New WebViewClient() {
// override the "shouldOverrideUrlLoading" hook.
public boolean shouldOverrideUrlLoading(WebView view,String url){
if(!url.startsWith("http://www.facebook.com")){
Intent i = new Intent("android,intent.action.VIEW",
Uri.parse(url));
startActivity(i);
}
}
// override the "onPageFinished" hook.
public void onPageFinished(WebView view, String url) { ...}
}
webView.setWebViewClient(wvclient);
It's a great study, and outlines several different ways of attacks. Worth the read!
There is vulnerability in webview older than 4.2 when you Enable javascript for it.
Use of enabling Javascript:
Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.
addJavascriptInterface (Object object, String name) method:
The addJavascriptInterface method injects a supplied Java object into WebView.
The object is injected into the JavaScript context of the main frame, using a supplied name and this allows the Java object’s methods to be accessed from JavaScript.
For applications running Android 4.1 or older, all public methods (including the inherited ones) can be accessed, so when a user’s installed application with addJavascriptInterface method loads an external webpage it can use WebView and javascript to call a java object (like a ‘Javascript pipeline’ and usage of reflection to invoke any other unregistered Java class) which allows attackers to call Android’s Java methods.
The fix:
For applications running Android 4.2 all public methods that are annotated with JavascriptInterface can be accessed from JavaScript.
So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript.
If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.
I wrote this gist to help with locking down Android's Webview, similar to @Noni A's answer it only permits loading for whitelisted urls by overriding shouldOverrideUrlLoading but also shouldInterceptRequest which I believe is used by AJAX type calls.
