For my android app I am using a webview to render my website and i have created a javscriptinterface object to communicate with app and website. I want to allow other users to put iframe inside my website, But I was thinking whether from these iframes can they access my JS interface object ?
If possible how to fix this security issue ?
Yes - all the JavaScript in a WebView has access to the same JavaScript interface, regardless of the server it comes from, because it's executed locally.
You can test this by running two Python SimpleHTTPServer instances on different ports over a local network: they are considered different hosts (an XMLHttpRequest for example will result in a cross-origin request error), but you can still call methods from Javascript even with your iframe coming from a different host.
So far I have not been able to find a way to circumvent this. The Android docs recommend "exposing addJavaScriptInterface() only to JavaScript that is contained within your application APK", but no mention of how to achieve this.
As the Java object is passed on to Javascript, and all of the Javascript is executed within the context of a WebView, I would guess it is up to the Android implementation of WebView / WebViewProvider to provide such a method, but Marshmallow's addJavascriptInterface() is empty as far as the Java framework is concerned (see WebView.java and WebViewProvider.java). It didn't use to be, so maybe that's when the security doc is from.
I guess a special technique might be employed. For example, the web page might call a method to unlock your API. The the embedding application should call evaluateJavascript method that will be executed in the main frame and pass a security key to JavaScript world of the main frame. All calls to API method should request with this key as a parameter.
