Introduction
Android WebView is a component that allows you to display web content in your Android application. It’s fairly complex to configure and easy to misconfigure. From browsers to third-party applications, they use powerful APIs to interact with the web, such as sending cookies, setting local storage, setting headers, and more. In this blog post, we will discuss how to detect WebView misconfigurations in Android with Code-PathFinder.
WebView Misconfigurations
- Cross-site scripting
- Enabling content access from WebView JavaScript
- Enabling file access from WebView JavaScript
- Enabling universal file access from WebView JavaScript
- JavaScript settings
- WebView JavaScript interface injection
Cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web application. This can be used to steal sensitive information, such as user credentials, or to take control of the victim’s account. WebView poses a couple of methods to execute JavaScript in the context of the WebView, and it doesn’t respect the same-origin policy. Such methods are:
loadUrlloadDataloadDataWithBaseURLevaluateJavascriptevaluateJavaScriptAsync
When using these methods, it’s important to ensure that the data being passed in is properly sanitized and validated. Additionally, the application should be aware of the context in which the JavaScript code is being used. Code-PathFinder helps you find the code path where the JavaScript is being executed and the data being passed in is not properly sanitized and validated.
FROM method_invocation AS miWHERE mi.GetName() = "loadUrl" || mi.GetName() = "loadData" || mi.GetName() = "loadDataWithBaseURL" || mi.GetName() = "evaluateJavascript" || mi.GetName() = "evaluateJavaScriptAsync"SELECT mi, mi.GetEnclosingMethod()Enabling Content URL access from WebView
The content protocol allows loading data from a URL. For instance, content:// is used to load data from a file on the device such as images, videos, etc. While this is a useful feature, it can also be
misused to access sensitive data from the application’s file system. This can be done by using the setAllowContentAccess method of the WebView class. Using Code-PathFinder, you can find the code path where the
setAllowContentAccess method is being called.
FROM method_invocation AS miWHERE mi.GetName() = "setAllowContentAccess"SELECT mi, mi.GetEnclosingMethod()Enabling File access from WebView JavaScript
The file protocol allows loading data from a file on the device. For instance, file:// is used to load data from a file on the device such as images, videos, etc. While this is a useful feature, it can also be
misused to access sensitive data from the application’s file system. This can be done by using the setAllowFileAccess method of the WebView class. Using Code-PathFinder, you can find the code path where the
setAllowFileAccess and setAllowFileAccessFromFileURLs methods are being called.
FROM method_invocation AS miWHERE mi.GetName() = "setAllowFileAccess" || mi.GetName() = "setAllowFileAccessFromFileURLs"SELECT mi, mi.GetEnclosingMethod()Enabling Universal file access from WebView JavaScript
The setAllowUniversalAccessFromFileURLs method allows JavaScript to access the file protocol from any origin. This can be used to access sensitive data from the application’s file system. If this WebView setting is enabled,
the web page can access the file system of the device. While this is a useful feature to flexibly access files and content, it seriously poses a security threat when arbitrary website JavaScript is loaded into the frame.
Using Code-PathFinder, you can find the code path where the setAllowUniversalAccessFromFileURLs method is being called.
FROM method_invocation AS miWHERE mi.GetName() = "setAllowUniversalAccessFromFileURLs"SELECT mi, mi.GetEnclosingMethod()JavaScript settings
JavaScript settings can be used to control the behavior of the WebView. For instance, you can enable or disable JavaScript, enable or disable JavaScript interfaces, enable or disable JavaScript’s ability to open windows,
and enable or disable JavaScript’s ability to open popups. Using Code-PathFinder, you can find the code path where the setJavaScriptEnabled method is being called.
FROM method_invocation AS miWHERE (mi.GetName() = "setJavaScriptEnabled" && "true" in mi.getArgumentName()) || (mi.GetName() = "setJavaScriptCanOpenWindowsAutomatically" && "true" in mi.getArgumentName())SELECT mi, mi.GetEnclosingMethod()JavaScript interfaces
Here comes the most important ⚠️ and exciting part of the WebView. JavaScript interfaces allow you to expose native methods to JavaScript. For instance, you can expose a native method to JavaScript to open a file picker
or execute Java methods. Historically, JavaScript interfaces were abused to execute arbitrary code on the device and
attain remote code execution. Using Code-PathFinder, you can find the code path where the addJavascriptInterface method is being called.
predicate isJavaScriptEnabled(method_invocation mi) { mi.getName() == "addJavascriptInterface"}
FROM method_invocation AS miWHERE isJavaScriptEnabled(mi)SELECT mi.getName(), "JavaScript interface exposed"The above vulnerability classification is based on the OWASP Mobile Top 10 and OWASP Mobile Security Testing Guide.
Conclusion
While Code-PathFinder, the open-source alternative to CodeQL, is a powerful tool for finding security vulnerabilities in Android applications, one can always tweak the queries to filter out false positives
more effectively compared to grep-based scanners like Semgrep or ast-grep. This is because the taint analysis and source-to-sink analysis are far more powerful than grep-based scanners. Give it a try and file an issue
if you find any bugs or have any suggestions.
Contributing to Code-PathFinder OSS
If you are interested in contributing to Code-PathFinder, please check out the Code-PathFinder repository. Give it a try and file an issue if you find any bugs or have any suggestions.