Search K
Appearance
Appearance
Other ways to support HackTricks:
A critical aspect of Android development involves the correct handling of WebViews. This guide highlights key configurations and security practices to mitigate risks associated with WebView usage.
By default, WebViews permit file access. This functionality is controlled by the setAllowFileAccess()
method, available since Android API level 3 (Cupcake 1.5). Applications with the android.permission.READ_EXTERNAL_STORAGE permission can read files from external storage using a file URL scheme (file://path/to/file
).
false
) for apps targeting Android Jelly Bean and newer. getAllowUniversalAccessFromFileURLs()
.setAllowUniversalAccessFromFileURLs(boolean)
.getAllowFileAccessFromFileURLs()
to check and setAllowFileAccessFromFileURLs(boolean)
to set.For disabling file system access while still accessing assets and resources, the setAllowFileAccess()
method is used. With Android R and above, the default setting is false
.
getAllowFileAccess()
.setAllowFileAccess(boolean)
.The WebViewAssetLoader class is the modern approach for loading local files. It uses http(s) URLs for accessing local assets and resources, aligning with the Same-Origin policy, thus facilitating CORS management.
This is a common function used to load arbitrary URLs in a webviwe:
webview.loadUrl("<url here>")
Ofc, a potential attacker should never be able to control the URL that an application is going to load.
setJavaScriptEnabled()
. Caution is advised as enabling JavaScript without proper safeguards can introduce security vulnerabilities.intent
scheme, potentially leading to exploits if not carefully managed. An example vulnerability involved an exposed WebView parameter "support_url" that could be exploited to execute cross-site scripting (XSS) attacks.Exploitation example using adb:
adb.exe shell am start -n com.tmh.vulnwebview/.SupportWebView โes support_url "https://example.com/xss.html"
A feature is provided by Android that enables JavaScript in a WebView to invoke native Android app functions. This is achieved by utilizing the addJavascriptInterface
method, which integrates JavaScript with native Android functionalities, termed as a WebView JavaScript bridge. Caution is advised as this method allows all pages within the WebView to access the registered JavaScript Interface object, posing a security risk if sensitive information is exposed through these interfaces.
@JavascriptInterface
public String getSecret() {
return "SuperSecretPassword";
};
webView.addJavascriptInterface(new JavascriptBridge(), "javascriptBridge");
webView.reload();
<script>alert(javascriptBridge.getSecret());</script>
@JavascriptInterface
annotation prevents unauthorized method access, limiting the attack surface.if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
WebView.setWebContentsDebuggingEnabled(true);
}
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE))
{ WebView.setWebContentsDebuggingEnabled(true); }
}
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
alert(xhr.responseText);
}
}
xhr.open('GET', 'file:///data/data/com.authenticationfailure.wheresmybrowser/databases/super_secret.db', true);
xhr.send(null);
Other ways to support HackTricks: