In Android versions before 4.2 (Jelly Bean, targetSdkVersion 17), the JavaScript layer, upon getting access to the exposed Java object, can access all of the object's public members using reflection. Reflection is a powerful set of APIs, commonly used by programs that require the ability to examine or modify the runtime behavior of applications running in the Java Virtual Machine. For platforms before API level 17, you can use reflection inside of JavaScript by calling something like:
function execute(cmdArgs) {
boundObj.getClass().forName("Java.lang.Runtime").getMethod("getRuntime",
null).invoke(null,null).exec(cmdArgs);
}
var p = execute(["/data/data/com.yourapp/malicious-app"]);
document.write(getContents(p.getInputStream()));
This could allow an attacker to run malicious Java code in the host application's context, which could pose a security risk. As an application developer, care must be taken to ensure that we expose the Java object to WebView only as necessary, especially in the case of running JavaScript from untrusted sources such as external websites and so on.
HttpOnly Cookies and the Secure Flag
Cookies are one of the most common ways developers store application data. Among other things, it is used to remember the state of the web application in the previous run. Access to this data by untrusted JavaScript could pose a huge risk to your application. To prevent this, you can make your cookies HttpOnly in the HTTP response. The HttpOnly cookie flag became a standard with the RFC #6265 document that can be found at the ietf.org website.
An HttpOnly flagged cookie cannot be stolen easily via non-HTTP methods, such as JavaScript or Flash using document.cookie as a pervasive attack technique. Here's an example of how the HttpOnly attribute is visible in the HTTP headers:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: id=cdb6352b48e62e0691efe552e3e4cecb; path=/; HttpOnly
If you use the SSL protocol for delivering your web content and need to set cookies using JavaScript, then you need to enable the secure flag in your cookie function in order to set a secure cookie.
document.cookie = "name=value; expires=date; path=path; domain=domain; secure";
Preventing Local Files from Being Loaded in the WebView
The setAllowFileAccess() API allows developers to control access to local files by the WebView. This API is one of several WebView settings you can configure at runtime. By default, this setting is enabled for accessing files in the filesystem. This setting does not restrict the WebView to load local resources from the file:///android_asset (assets) and file:///android_res (resources) directories. For security reasons, if your app does not require access to the filesystem, it is a good practice to turn this setting off.
settings.setAllowFileAccess(false);
No comments:
Post a Comment