How android WebView can be exploited and how to secure my app from WebView vulnerability?
The primary vulnerabilties involved in the WebView component are Insecure Direct Object References, SQL Injection, and Cross-Site Scripting (XSS).
While all three are potentially huge risks, the XSS vulnerability potential can be used to gain access to shared preference files using the file:/// command or can utilize smsJSInterface.launchSMSActivity to send unwanted SMS messages from the phone, in addition to stealing credentials or providing a false front to the HTML, CSS, Javascript, or other browser-level behavior.
If you turn off the setJavaScriptEnabled as follows, adversaries will not be able to run any Javascript in order to perform XSS attacks:
myWebView.getSettings().setJavaScriptEnabled(false);
Or, if you can't do this, be sure that each context is escaped properly by using an XSS filter component such as the OWASP Java Encoder Project.
You can see what data is available to each WebView by using the sqlite3 command-line tool or a SQLite3-compatable browser to view the /app/-packagename-/db/webview.db file. Of course, any input that makes its way into the SQLite3 database or that performs a query or other string operation against it can become a potential insertion point for SQL injection -- albeit in some cases a network MITM scenario may be required.
Some examples of insecure direct object references can be found in these penetration testing tutorials against the HerdFinancial app which is a part of the OWASP GoatDroid Project:
- http://jit6ndrakumar.blogspot.com/2014/07/android-app-pentesting-part3.html
- http://jit6ndrakumar.blogspot.com/2014/07/android-app-pentesting-part4.html