Threat Category: Vulnerable Applications
ID: APP-8
Threat Description: A mobile app that implement a WebView, which allows it to render and potentially perform actions available in a web page, may contain vulnerabilities to common browser-based attacks, such as cross-site request forgery, cross-site scripting, and injection of malicious dynamic content (e.g., JavaScript). Further, exploits delivered over web pages may allow remote exploitation of vulnerabilities in other app components, thereby gaining access to data or functionality outside the context of the vulnerable WebView.
Threat Origin
Not Applicable, See Exploit or CVE Examples
Exploit Examples
WebView addJavaScriptInterface Remote Code Execution 1
DRD13. Do not provide addJavaScriptInterface method access in a WebView which could contain untrusted content 2
Remote code execution on Android devices 3
CVE Examples
Possible Countermeasures
Use app-vetting tools or services to identify vulnerable applications
Use a proxy or VPN for connections to decrease the chance of success of a man-in-the-middle attack.
Mobile App DeveloperAlways use https URLs for WebView content.
Avoid enabling the WebView JavaScript bridge (with addJavascriptInterface) unless explicitly needed.
References
“WebView addJavaScriptInterface Remote Code Execution”, 24 Sept. 2013; https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/ [accessed 8/25/2016] ↩
F. Long, “DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)”, 8 Apr. 2015; www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 [accessed 8/25/2016] ↩
T. Sutcliffe, “Remote code execution on Android devices”, blog, 31 July 2014; https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/ [accessed 8/25/2016] ↩