You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)

Allowing web apps to use JavaScript leaves the app vulnerable to scripting attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.  By default, JavaScript is disabled in WebView.  However, it is possible to enable it by using the method addJavascriptInterface(Object, String) from the android.webkit.WebView class. Doing so is dangerous. Sensitive or personal data should not be exposed to a JavaScript interface. Also, code received via such an interface cannot be trusted and it could corrupt the network or server.

Noncompliant Code Example

This noncompliant code example shows an application that calls the addJavascriptInterface() method, and hence is not secure.

WebView webView = new WebView(this);
setContentView(webView);
...
class JsObject {
    @JavascriptInterface
    public String toString() { return "injectedObject"; }
 }
 webView.addJavascriptInterface(new JsObject(), "injectedObject");
 webView.loadData("", "text/html", null);
 webView.loadUrl("javascript:alert(injectedObject.toString())");

JavaScript can now control the host. In particular, Java reflection could be used to access the fields of an injected object.

Compliant Solution

Compliant code should not call the addJavascriptInterface() method, leaving the WebView in the default safe state of having JavaScript disabled.

WebView webView = new WebView(this);
setContentView(webView);
...

Risk Assessment

Allowing an app to use JavaScript may leave it open to scripting attacks that could corrupt the host.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD13-J

High

Probable

Medium

P12

L1

Automated Detection

Automatic detection of a call to the addJavascriptInterface() method is straightforward.

Bibliography

 


  • No labels