An overview of the
There are three kinds of security vulnerabilities in WebView, which are:
- Remote code execution vulnerability
- Password plaintext storage vulnerability
- Lax domain control vulnerability
The causes and solutions of each vulnerability are analyzed as follows
Remote code execution vulnerability
WbView addJavascriptInterface() interface
Causes:
In Android API Level 17 and prior versions, because the program does not properly restrict the use of the addJavascriptInterface method, remote attackers can exploit this vulnerability by using the Java Reflection API to execute methods on arbitrary Java objects. AddJavascriptInterface adds a JavaScript bridge interface to the WebView. JavaScript can directly interact with the local Java interface by calling this interface. It is possible that the mobile phone is installed by Trojan program, send fee short message, address book and short message is stolen, obtain the SD card file and other information in the local device, thus causing information leakage, and even the mobile phone is remote control and other security problems.
// Parameter 1: Android local object // Parameter 2: // Use object mapping to associate native objects in Android with objects in JS, So as to realize the objects and methods of JS calls Android webview. AddJavascriptInterface (new MyJavaScriptInterface (),"myandroid");
Copy the codeWhen JS gets the Android object, through Java reflection mechanism, it can call all the methods in the Android object, including the system class (java.lang.Runtime class), so as to carry out arbitrary code execution.
Java reflection: Reflection is the ability of a program to retrieve information about itself at runtime. If you know the name of a class/or an instance object of it, you can find all the methods and variables of that class (method names, variable names, methods, modifiers, types, method parameters, and so on). The most important function of reflection is: at runtime, how to obtain the Class c = class.forname ("Path of class"); Class c = Class name. Class; Class c = instance.getClass ();Copy the codeThe Android object getClass() gets the current Class, and the current Class forName() loads the java.lang.Runtime Class to get the Runtime Class, which executes local commands.
function execute(cmdArgs)
{
for (var obj in window) {
console.log(obj);
if ("getClass" in window[obj]) {
alert(obj);
return window[obj].getClass().forName("java.lang.Runtime").
getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs); }}} // Get the filename information from the input stream after executing the command, which has a serious privacy risk. var p = execute(["ls"."/mnt/sdcard/"]);
document.write(getInputStream2String(p.getInputStream()));
Copy the codeSolution:
If you must use the addJavascriptInterface interface, use the following methods: Android4.2 above, methods that are allowed to be called by JavaScript must be declared as @javascriptInterface annotations to avoid vulnerability attacks. Below Android4.2, use setWebChromeClient to re-onjsprompt () to intercept prompt() messages for interaction.
2, the WebView built-in export searchBoxJavaBridge_ objects and built-in export the org.eclipse.swt.accessibility and accessibilityTraversalObject objects
The reasons causing
There are a total of three hidden interfaces with remote code execution vulnerabilities in Android 4.4 and below. Are respectively located in android/its/webview “searchBoxJavaBridge” of the interface and the android/its/AccessibilityInjector. In Java “the org.eclipse.swt.accessibility interfaces and acces SibilityTraversal “interface. Apps that invoke these three interfaces will face remote code execution vulnerability on Android systems that enable third-party services in accessibility options.
The solution
Used when creating the WebView WebView. RemoveJavascriptInterface (String Name) to remove the searchBoxJavaBridge, accessibility, and accessibilityTraversal interfaces.
webView.removeJavascriptInterface("searchBoxJavaBridge_");
webView.removeJavascriptInterface("accessibility");
webView.removeJavascriptInterface("accessibilityTraversal");
Copy the code2. Password plaintext storage vulnerability
The reasons causing
WebView Enables the password saving function by default: mwebView. setSavePassword(true) After this function is enabled, a dialog box is displayed when a user enters a password, asking the user whether to save the password. If you select “yes”, the password will be definitely confirmed to/data/data/com. The package. The name/databases/webview. Db, so it is in danger of being stolen password.
The solution
Through the WebSettings. SetSavePassword (false) close the password reminder function, prevent plaintext password is local stolen.
Third, the domain control is not strict vulnerability
The reasons causing
public class WebViewActivity extends Activity {
private WebView webView;
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_webview);
webView = (WebView) findViewById(R.id.webView);
//webView.getSettings().setAllowFileAccess(false); (1)
//webView.getSettings().setAllowFileAccessFromFileURLs(true); (2)
//webView.getSettings().setAllowUniversalAccessFromFileURLs(true); (3) Intent intent = getIntent(); String url = intent.getData().toString(); webView.loadUrl(url); }}Copy the codeSet android: Exported =”true” to indicate whether the current Activity can be started by another Application component.
Such as:
An Activity exported by Application A (Android: Exported =”true”) enables Application B to load A malicious FILE PROTOCOL URL to obtain internal private files of application B, which poses A data leakage threat.
- Same-origin policy Cross-domain access: Access private directory files
- For IM products, chat information, contacts, and so on are leaked
- For browser software, the leakage is cookie information leakage.
By default, webViews can use File, also known as setAllowFileAccess(true). Set setAllowFileAccess(false) to prevent loading of local application files. The mobile version of Chrome does not allow loading of file files by default.
If the file protocol is not allowed, there is no such threat, but it also limits the WebView’s ability to load the desired local HTML files.
The solution
For applications that do not use file, disable file (setAllowFileAccess(false)). For applications that require the File protocol, allow the File protocol to load JavaScript.
setAllowFileAccess(true); / / set tofalseWill not be able to load local HTML files // Set whether to allow javascript code loaded through the file URL to read other local filessetAllowFileAccessFromFileURLs(false); // Set whether Javascript loaded via fileurl can be accessed from any other source, that is, it includes other files and HTTP, HTTPS, and other sources (same-origin cross-domain access)setAllowUniversalAccessFromFileURLs(false);
if (url.startsWith("file://") {
setJavaScriptEnabled(false);
} else {
setJavaScriptEnabled(true);
}
Copy the codeconclusion
The above are the three security vulnerabilities in WebView: arbitrary code execution vulnerability, password plaintext storage vulnerability and loose domain control vulnerability, which generally appear in the lower version. If the App supports the minimum version of 4.4, arbitrary code execution vulnerability will not exist.