Securing WebViews in Android Applications
An application is vulnerable if the following conditions are true:
- The application is compiled for API Level 16 and below. (Target API is 16 or Below)
- The application requests content from the server using any plain text (HTTP) communication.
- The application loads third party content. The content could include Ads or content from partner websites.
- You application has a persistent cross site scripting vulnerability
For a free scan of this issue of your Android app, simply contact email@example.com at anytime
Below are the code level details to fix this vulnerability:
- Compile with API level 17 and above - Enable bridge if the platform level is 17 and above.
- Use shouldOverrideUrlLoading to allow trusted content
Below are the steps to implement API level 17 and above for your application
Code for exposing native methods in WebViews in API Level 17 and above is shown below:
To make sure the application is targeted for API Level 17, check the Android Properties Section in the IDE you are developing the project on. For the ADT (Eclipse) is should look like the screen shot below:
Additionally, if you are using Eclipse you can verify the target property in the project.properties file. Also, make sure the element in the AndroidManifest.xml file is set as follows:
The above AndroidManifest.xml file setting makes sure that your applications only runs on android devices running Android 4.2 and above. However, this is not a convenient option for many developers since about half of the devices present in the market do not fall in this sub set.
Another option that may be more feasible as it safely allows the application to run on a lower version of Android is shown below:
- Make sure the application is targeted for API Level 17. This could be verified using the check described above.
- Configure the
element in the AndroidManifest.xml file as shown below.
The second approach described below is more towards minimizing the risk rather than eradicating the issue. WebView’s in Android allow the application to control which URL should load on the WebView using the shouldOverrideUrlLoading method. One fact to note here is the initial URL loaded on the WebView using the loadUrl method is not intercepted by the shouldOverrideUrlLoading method however any subsequent URL’s loaded on the WebView that are initiated via the user navigation are intercepted by the shouldOverrideUrlLoading method.
An example of using the shouldOverrideUrlLoading method is given below :
In the above code we make sure our WebView loads only datatheorem.com domain retrieved over SSL (HTTPS).
-  http://220.127.116.11/blog/
-  http://securityshastra.blogspot.com/2013/07/remote-code-execution-in-android.html
-  The paper titled “Attacks on WebView in the Android System” gives us a good understanding of the threat model of exposing WebViews on an Android device.