Cross-app scripting

OWASP category: MASVS-CODE: Code Quality

Overview

A WebView is an embedded browser component in Android applications that facilitates the display of web content within an app. It renders HTML, CSS, and JavaScript within the app's user interface.

Cross-App Scripting is broadly associated with the execution of malicious code in the context of a victim application. For the purposes of this documentation, the subject will be constrained specifically to the injection of malicious JavaScript code into a vulnerable WebView.

When an app accepts malicious JavaScript into a WebView without sufficient validation or sanitization, the application is vulnerable to cross-app Scripting.

Impact

Cross-app scripting vulnerabilities can be exploited when attacker-controlled JavaScript content is passed to the vulnerable app's WebView without being validated or sanitized. As a result, the JavaScript code provided by the attacker is executed in the context of the victim application's WebView. The malicious JavaScript code can then use the same permissions as the victim app's, which may lead to theft of sensitive user data, and account hijacking.

Mitigations

Disable JavaScript

If your application does not require JavaScript, disabling it will ensure it does not become a threat:

Kotlin

// Get the WebView Object
val webView = findViewById<WebView>(R.id.webView)
val webSettings = webView.settings

// Disable JavaScript
webSettings.javaScriptEnabled = false

Java

// Get the WebView Object
WebView webView = (WebView) findViewById(R.id.webView);
WebSettings webSettings = webView.getSettings();

// Disable JavaScript for the WebView
webSettings.setJavaScriptEnabled(false);

If your application does require JavaScript, ensure that you own or control any JavaScript passed to WebView. Avoid allowing WebView to execute arbitrary JavaScript, see the guidance in the next section.

Ensure only expected content is loaded into WebView

When using methods like shouldOverrideUrlLoading(), loadUrl(), or evaluateJavascript(), make sure that any URLs passed to them are checked. As stated earlier, any JavaScript passed to the WebView should only come from expected domains, so it is important to verify what is being loaded.

Check OWASP's input validation documentation and this Android security checklist for WebViews for good advice and examples.

Set secure file access settings for WebView

Ensuring that files are not accessible can prevent arbitrary JavaScript from being executed within WebViews.The following WebSettings should be considered when securing file access:

  • Disable file access. By default, setAllowFileAccess is set to True in API level 29 and lower which will permit access to local files. In API level 30 and higher the default is False. To ensure file access is not permitted, explicitly set setAllowFileAccess to False

  • Disable content access. The default setting of setAllowContentAccess is True. Content URL access allows WebView to load content from a content provider installed in the system. If your app does not require content access, set setAllowContentAccess to False to prevent potential misuse in case of a cross-app scripting attack.

  • kotlin kotlin webView.settings.javaScriptEnabled = false webView.settings.domStorageEnabled = true webView.settings.allowFileAccess = false webView.settings.allowContentAccess = false

  • java java webView.getSettings().setJavaScriptEnabled(false); webView.getSettings().setDomStorageEnabled(true); webView.getSettings().setAllowFileAccess(false); webView.getSettings().setAllowContentAccess(false);

Enable Safe Browsing

Enable Safe Browsing in AndroidManifest.xml to scan URLs passed to WebView for phishing or malicious domains.:

<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
   android:value="true" />

Resources