Android

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 6

changes.mady.by.user Unknown User (lflynn)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)

Allowing web apps to use JavaScript leaves For API level JELLY_BEAN or below, allowing an app to use the addJavascriptInterface method with untrusted content in a WebView leaves the app vulnerable to scripting attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  By default, JavaScript is disabled in WebView.  However, it is possible to enable it by using the attacks using reflection to access public methods from JavaScript.  The method addJavascriptInterface(Object, String) is called from the android.webkit.WebView class. Doing so is dangerous. Sensitive or personal data and app control should not be exposed to a JavaScript interfacescripting attack. Also, code received via such an interface cannot be trusted and it could corrupt the network or server.

Noncompliant Code Example

This noncompliant code example shows an application that calls the addJavascriptInterface() method, and hence is not secure for API level JELLY_BEAN and lower.

Code Block
bgColor#FFCCCC
WebView webView = new WebView(this);
setContentView(webView);
...
class JsObject {
    @JavascriptInterface
    public String toString() { return "injectedObject"; }
 }
 webView.addJavascriptInterface(new JsObject(), "injectedObject");
 webView.loadData("", "text/html", null);
 webView.loadUrl("javascript:alert(injectedObject.toString())");

JavaScript can now control the host. In particular, Java reflection could be used to access the fields of an injected objectany of the public methods of an injected object, using the permissions of the app.

Compliant Solution #1

Compliant code should could not call the addJavascriptInterface() method, leaving the WebView in the default safe state of having JavaScript disabled.

Code Block
bgColor#CCCCFF
WebView webView = new WebView(this);
setContentView(webView);
...

Compliant Solution #2

Another compliant solution is to specify in the app's manifest that the app is only for API levels JELLY_BEAN_MR1 and above. For these API levels, only public methods that are annotated with JavascriptInterface can be accessed from JavaScript. API level 17 is JELLY_BEAN_MR1.

Code Block
bgColor#CCCCFF
<manifest>
<uses-sdk android:minSdkVersion="17" />
...

</manifest>

Risk Assessment

Allowing an app to use JavaScript may leave it open to scripting attacks that could corrupt the host.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD13-J

High

Probable

Medium

P12

L1

Automated Detection

Automatic detection of a call to the addJavascriptInterface() method in a WebView is straightforward. Automatic detection of if the minimum API is set to JELLY_BEAN_MR1 in the app manifest is straightforward. Determination of whether the WebView could contain untrusted content could be impossible to do in an automated way for some applications.

Bibliography

[Android API 2013]class WebView
[Android API 2013]<uses-sdk>

 

...