OWASP category: MASVS-CODE: Code Quality
Overview
A WebView is an embedded browser component in Android applications that facilitates the display of web content within an app. It renders HTML, CSS, and JavaScript within the app's user interface.
Cross-App Scripting is broadly associated with the execution of malicious code in the context of a victim application. For the purposes of this documentation, the subject will be constrained specifically to the injection of malicious JavaScript code into a vulnerable WebView.
When an app accepts malicious JavaScript into a WebView without sufficient validation or sanitization, the application is vulnerable to cross-app Scripting.
Impact
Cross-app scripting vulnerabilities can be exploited when attacker-controlled JavaScript content is passed to the vulnerable app's WebView without being validated or sanitized. As a result, the JavaScript code provided by the attacker is executed in the context of the victim application's WebView. The malicious JavaScript code can then use the same permissions as the victim app's, which may lead to theft of sensitive user data, and account hijacking.
Mitigations
Disable JavaScript
If your application does not require JavaScript, disabling it will ensure it does not become a threat:
Kotlin
// Get the WebView Object
val webView = findViewById<WebView>(R.id.webView)
val webSettings = webView.settings
// Disable JavaScript
webSettings.javaScriptEnabled = false
Java
// Get the WebView Object
WebView webView = (WebView) findViewById(R.id.webView);
WebSettings webSettings = webView.getSettings();
// Disable JavaScript for the WebView
webSettings.setJavaScriptEnabled(false);
If your application does require JavaScript, ensure that you own or control any JavaScript passed to WebView. Avoid allowing WebView to execute arbitrary JavaScript, see the guidance in the next section.
Ensure only expected content is loaded into WebView
When using methods like shouldOverrideUrlLoading()
, loadUrl()
, or
evaluateJavascript()
,
make sure that any URLs passed to them are
checked. As stated earlier, any JavaScript passed to the WebView should only
come from expected domains, so it is important to verify what is being loaded.
Check OWASP's input validation documentation and this Android security checklist for WebViews for good advice and examples.
Set secure file access settings for WebView
Ensuring that files are not accessible can prevent arbitrary JavaScript from
being executed within WebViews.The following WebSettings
should be
considered when securing file access:
- Disable file access. By default,
setAllowFileAccess
is set toTrue
in API level 29 and lower which will permit access to local files. In API level 30 and higher the default isFalse
. To ensure file access is not permitted, explicitly setsetAllowFileAccess
toFalse
Disable content access. The default setting of
setAllowContentAccess
isTrue
. Content URL access allows WebView to load content from a content provider installed in the system. If your app does not require content access, setsetAllowContentAccess
toFalse
to prevent potential misuse in case of a cross-app scripting attack.kotlin
kotlin webView.settings.javaScriptEnabled = false webView.settings.domStorageEnabled = true webView.settings.allowFileAccess = false webView.settings.allowContentAccess = false
java
java webView.getSettings().setJavaScriptEnabled(false); webView.getSettings().setDomStorageEnabled(true); webView.getSettings().setAllowFileAccess(false); webView.getSettings().setAllowContentAccess(false);
Enable Safe Browsing
Enable Safe Browsing in AndroidManifest.xml
to scan URLs passed to
WebView for phishing or malicious domains.:
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
Resources
- Safe Browsing documentation
- WebView developer reference
- WebSettings for WebView developer reference
- setAllowFileAccess developer documentation
- setAllowContentAccess developer reference