Since Android WebViews are browser controls in an app, they invite traditional web attacks. Learn how to protect against Android WebView attacks.
The Pre-KitKat (Android 4.4) WebView was largely based on WebKit and did not receive software updates (unless a device received an OTA update from the carrier or OEM). KitKat and later WebViews are based on the chromium open source browser. Since Android 5.0 (Lollipop), the WebView is packaged as a separate APK and is updated separately.
It is “the” (embedded) component that powers the majority of HTML-enabled apps and many internet apps. WebViews continue to be a current topic but for the wrong reasons. Fortunately (or unfortunately), none of these reasons are new.
Firstly, since a WebView is a browser control in an app, it invites traditional attacks associated with the web: connection hijacking, XSS, and so on. But WebViews sport other features (since the use of a WebView is implicit, we will just refer to them as apps). The developer can, by design, punch holes in the sandbox. Web content can interact with the app and vice versa. This design means that if a vulnerability exists then it can be exploited in either direction. Moreover, a common (even pervasive) model of apps is to bundle both local resources and web content in the same container (i.e. the app itself). When put together, the resulting threat model becomes more than the sum of its parts. A same origin policy (SOP) bypass can lead to device file-system access. Think stealing user data or cookies. Incorrectly processing URLs can make the app an intermediary. Think remote attacker targeting other applications (or even the app itself) by using the intermediary app as a proxy. We’ll explore these in this and forthcoming posts.
I/chromium(13478): [INFO:CONSOLE(1)] "Uncaught TypeError: Object [object Object] has no method 'secret'"
The short answer is NO.
This presents a problem: if you haven’t installed these bridges, how can you name them in order to remove them? There are three possibilities, none of which is pretty:
Andrew Lee-Thorp is an associate principal consultant at Synopsys. For over 10 years prior to this, he cut his teeth in software development from smart cards through to high-end servers systems. His current focus of attention is building the tooling and process to support Synopsys' mobile testing service as well as performing architectural risk analysis, secure code reviews, and is not averse to building software from time to time. Andrew holds two Master's degrees.