Skip to content

Detecting WebView Misconfigurations in Android With Code-PathFinder

Introduction

Android WebView is a component that allows you to display web content in your Android application. It’s fairly complex to configure and easy to misconfigure. From browsers to third-party applications, they use powerful APIs to interact with the web, such as sending cookies, setting local storage, setting headers, and more. In this blog post, we will discuss how to detect WebView misconfigurations in Android with Code-PathFinder.

Android WebView Illustration

WebView Misconfigurations

  • Cross-site scripting
  • Enabling content access from WebView JavaScript
  • Enabling file access from WebView JavaScript
  • Enabling universal file access from WebView JavaScript
  • JavaScript settings
  • WebView JavaScript interface injection

Cross-site scripting

Cross-site scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web application. This can be used to steal sensitive information, such as user credentials, or to take control of the victim’s account. WebView poses a couple of methods to execute JavaScript in the context of the WebView, and it doesn’t respect the same-origin policy. Such methods are:

  • loadUrl
  • loadData
  • loadDataWithBaseURL
  • evaluateJavascript
  • evaluateJavaScriptAsync

When using these methods, it’s important to ensure that the data being passed in is properly sanitized and validated. Additionally, the application should be aware of the context in which the JavaScript code is being used. Code-PathFinder helps you find the code path where the JavaScript is being executed and the data being passed in is not properly sanitized and validated.

FROM method_invocation AS mi
WHERE
mi.GetName() = "loadUrl" || mi.GetName() = "loadData"
|| mi.GetName() = "loadDataWithBaseURL"
|| mi.GetName() = "evaluateJavascript"
|| mi.GetName() = "evaluateJavaScriptAsync"
SELECT mi, mi.GetEnclosingMethod()

Enabling Content URL access from WebView

The content protocol allows loading data from a URL. For instance, content:// is used to load data from a file on the device such as images, videos, etc. While this is a useful feature, it can also be misused to access sensitive data from the application’s file system. This can be done by using the setAllowContentAccess method of the WebView class. Using Code-PathFinder, you can find the code path where the setAllowContentAccess method is being called.

FROM method_invocation AS mi
WHERE
mi.GetName() = "setAllowContentAccess"
SELECT mi, mi.GetEnclosingMethod()

Enabling File access from WebView JavaScript

The file protocol allows loading data from a file on the device. For instance, file:// is used to load data from a file on the device such as images, videos, etc. While this is a useful feature, it can also be misused to access sensitive data from the application’s file system. This can be done by using the setAllowFileAccess method of the WebView class. Using Code-PathFinder, you can find the code path where the setAllowFileAccess and setAllowFileAccessFromFileURLs methods are being called.

FROM method_invocation AS mi
WHERE
mi.GetName() = "setAllowFileAccess"
|| mi.GetName() = "setAllowFileAccessFromFileURLs"
SELECT mi, mi.GetEnclosingMethod()

Enabling Universal file access from WebView JavaScript

The setAllowUniversalAccessFromFileURLs method allows JavaScript to access the file protocol from any origin. This can be used to access sensitive data from the application’s file system. If this WebView setting is enabled, the web page can access the file system of the device. While this is a useful feature to flexibly access files and content, it seriously poses a security threat when arbitrary website JavaScript is loaded into the frame. Using Code-PathFinder, you can find the code path where the setAllowUniversalAccessFromFileURLs method is being called.

FROM method_invocation AS mi
WHERE
mi.GetName() = "setAllowUniversalAccessFromFileURLs"
SELECT mi, mi.GetEnclosingMethod()

JavaScript settings

JavaScript settings can be used to control the behavior of the WebView. For instance, you can enable or disable JavaScript, enable or disable JavaScript interfaces, enable or disable JavaScript’s ability to open windows, and enable or disable JavaScript’s ability to open popups. Using Code-PathFinder, you can find the code path where the setJavaScriptEnabled method is being called.

FROM method_invocation AS mi
WHERE
(mi.GetName() = "setJavaScriptEnabled" && "true" in mi.getArgumentName())
|| (mi.GetName() = "setJavaScriptCanOpenWindowsAutomatically" && "true" in mi.getArgumentName())
SELECT mi, mi.GetEnclosingMethod()

JavaScript interfaces

Here comes the most important ⚠️ and exciting part of the WebView. JavaScript interfaces allow you to expose native methods to JavaScript. For instance, you can expose a native method to JavaScript to open a file picker or execute Java methods. Historically, JavaScript interfaces were abused to execute arbitrary code on the device and attain remote code execution. Using Code-PathFinder, you can find the code path where the addJavascriptInterface method is being called.

predicate isJavaScriptEnabled(method_invocation mi) {
mi.getName() == "addJavascriptInterface"
}
FROM method_invocation AS mi
WHERE isJavaScriptEnabled(mi)
SELECT mi.getName(), "JavaScript interface exposed"

The above vulnerability classification is based on the OWASP Mobile Top 10 and OWASP Mobile Security Testing Guide.

Conclusion

While Code-PathFinder, the open-source alternative to CodeQL, is a powerful tool for finding security vulnerabilities in Android applications, one can always tweak the queries to filter out false positives more effectively compared to grep-based scanners like Semgrep or ast-grep. This is because the taint analysis and source-to-sink analysis are far more powerful than grep-based scanners. Give it a try and file an issue if you find any bugs or have any suggestions.

Contributing to Code-PathFinder OSS

If you are interested in contributing to Code-PathFinder, please check out the Code-PathFinder repository. Give it a try and file an issue if you find any bugs or have any suggestions.