(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
For API level JELLY_BEAN or below, allowing an app to use the addJavascriptInterface
method with untrusted content in a WebView
leaves the app vulnerable to scripting attacks using reflection to access public methods from JavaScript. Untrusted content examples include content from any HTTP URL (as opposed to HTTPS) and user-provided content. The method addJavascriptInterface(Object, String)
is called from the android.webkit.WebView
class. Sensitive data and app control should not be exposed to scripting attacks.
Noncompliant Code Example
This noncompliant code example shows an application that calls the addJavascriptInterface()
method, and hence is not secure for API level JELLY_BEAN and lower.
WebView webView = new WebView(this); setContentView(webView); ... class JsObject { private String sensitiveInformation; ... public String toString() { return sensitiveInformation; } } webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadData("", "text/html", null); webView.loadUrl("http://www.example.com");
JavaScript can now control the host. Java reflection could be used to access any of the public methods of an injected object, using the permissions of the app.
Compliant Solution #1
Compliant code could refrain from calling the addJavascriptInterface()
method.
WebView webView = new WebView(this); setContentView(webView); ...
Compliant Solution #2
Another compliant solution is to specify in the app's manifest that the app is only for API levels JELLY_BEAN_MR1 and above. For these API levels, only public methods that are annotated with JavascriptInterface
can be accessed from JavaScript. API level 17 is JELLY_BEAN_MR1.
<manifest> <uses-sdk android:minSdkVersion="17" /> ... </manifest>
Applicability
Android Version Applicability
16 |
---|
Applies to Android API versions 16 (JELLY_BEAN) and below.
Risk Assessment
Allowing an app to provide access to the addJavascriptInterface
method in a WebView
which could contain untrusted content may leave it open to scripting attacks that could corrupt the host, for API level JELLY_BEAN and below.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD13-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Automatic detection of a call to the addJavascriptInterface()
method in a WebView
is straightforward. Similarly, it is straightforward to automatically ensure that the minimum API is set to JELLY_BEAN_MR1 in the app manifest. Automatic determination of whether the WebView
could contain untrusted content may be impossible for some applications.
Related Guidelines
[The CERT Oracle Secure Coding Standard for Java] | SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields |
Bibliography