Allowing web apps to use JavaScript leaves the app vulnerable to scripting attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. By default, JavaScript is disabled in WebView. However, it is possible to enable it by using the method addJavascriptInterface(Object, String) from the android.webkit.WebView class. Doing so is dangerous. Sensitive or personal data should not be exposed to a JavaScript interface. Also, code received via such an interface cannot be trusted and it could corrupt the network or server.
Noncompliant Code Example
This noncompliant code example shows an application that calls the addJavascriptInterface() method, and hence is not secure.
WebView webView = new WebView(this);
setContentView(webView);
...
class JsObject {
@JavascriptInterface
public String toString() { return "injectedObject"; }
}
webView.addJavascriptInterface(new JsObject(), "injectedObject");
webView.loadData("", "text/html", null);
webView.loadUrl("javascript:alert(injectedObject.toString())");
JavaScript can now control the host. In particular, Java reflection could be used to access the fields of an injected object.
Compliant Solution
Compliant code should not call the addJavascriptInterface() method, leaving the WebView in the default safe state of having JavaScript disabled.
WebView webView = new WebView(this); setContentView(webView); ...
Risk Assessment
Allowing an app to use JavaScript may leave it open to scripting attacks that could corrupt the host.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD13-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Automatic detection of a call to the addJavascriptInterface() method is straightforward.