Tencent Security Labs recently reported a vulnerability that exists across some common apps. The report can be found at http://www.cnvd.org.cn/webinfo/show/4365. The issue, which has been around since 2014, has to do with the misconfiguration or misuse of the WebView class.
The following is an example of using WebView:
Enables or disables file access in WebView. Note that the assets and resources are still accessible even if file access is disabled.
A brief sample of URIs compared with URL http: //www.example.com/index.html under the same-origin policy are shown below:
URL same-origin or not, and description
http: //www.example.com/index2.html ; same-origin
https: //www.example.com/index.html ; Not same-origin, protocol is different
http: //example.com/index.html ; Not same-origin, host is different
http: //www.example.com:88/index.html ; Not same-origin, port is different
file:///data/local/tmp/index.html ; Not same-origin, protocol and host are different
App B contains WebView which accepts the following parameter url:
If App A passes a file scheme url “file:///data/local/tmp/index.html” as the parameter “url” for the webView.loadUrl(url) in App B
The index.html file has the following content:
App A accesses the private file from App B “/data/data/com.test.webv/abc.txt”. In the above sample, the attacker must have the ability to drop the malicious HTML document into the user’s device.
Workarounds for this potential WebView vulnerability include:
- Disable file scheme URLs in the app if file access is not needed. This can be accomplished by setting methods setAllowFileAccess as false. Since files in assets and res folder are not affected by these settings, some fixed HTML can be placed in these folders.
- Check for file scheme URLs to eliminate directory traversal attacks.
- If activity export is not needed, set android:exported=”false” in the Activity tag in Manifest. Otherwise check the passed parameters for the WebView.