My presentation about the insecurity you may feel due to dealing with unsecure WebViews in your Android apps as presented at droidcon London on November 1st, 2024.
Intro
Is your relationship with WebViews healthy? Sometimes you just can't avoid the need to display web content in your app. It can be a functionality that you need to push out quickly and it's already implemented by web developers in your team, or just a Terms and conditions page that you have to display in your app while it also needs to be updateable without going through a release cycle.
Either way, web content tends to make its way into many apps and it's not trivial that with just adding a single WebView, how much you can open up your app for abuse by malicious actors. Google made steady progress in making WebViews more secure but in most cases, you can't stop supporting those old, vulnerable Android versions and then it's your responsibility to secure your WebViews. This talk aims to help with that while also highlighting security issues that lurk in those seemingly simple yet quite complex APIs.
The talk will describe major security mistakes unaware developers can make when using WebViews in their app, how to fix them and what actual exploitation these can lead to if they remain in the app.
Key takeaways are to always sanitize inputs, restrict capabilities to what is actually needed (as WebView does not use secure defaults in a lot of cases), use more modern APIs like Custom Tabs, JavaScript Engine or AndroidX's WebView variant.
Links
My SecureWebView library:
https://github.com/balazsgerlei/SecureWebView
Chrome Remote Debugging
https://developer.chrome.com/docs/devtools/remote-debugging
https://developer.chrome.com/docs/devtools/console/javascript
Android Scoped Storage Demystified by Niharika Arora
https://betterprogramming.pub/android-scoped-storage-demystified-3024a062ba24
Evercookie by Samy Kamkar
https://github.com/samyk/evercookie
AndroidX Webkit library
https://developer.android.com/reference/androidx/webkit/package-summary.html
https://developer.android.com/jetpack/androidx/releases/webkit
Apache Commons Text library
https://github.com/apache/commons-text
OWASP Enterprise Security API (ESAPI)
https://owasp.org/www-project-enterprise-security-api/
AndroidX JavaScriptEngine library
https://developer.android.com/develop/ui/views/layout/webapps/jsengine
https://developer.android.com/jetpack/androidx/releases/javascriptengine
AndroidX Browser library (Custom Tabs)
https://developer.android.com/jetpack/androidx/releases/browser
Modern WebView best practices (Android Dev Summit ‘18)
https://youtu.be/HGZYtDZhOEQ
Android Security Evolution
https://balazsgerlei.com/AndroidSecurityEvolution
Executing JavaScript and WebAssembly
https://developer.android.com/develop/ui/views/layout/webapps/jsengine
Overview of Android Custom Tabs
https://developer.chrome.com/docs/android/custom-tabs/
HackTricks - Webview Attacks
https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/webview-attacks