Overcoming Unsecurities in WebViews // droidcon London 2024

Transcript

1. Balázs Gerlei @balazsgerlei Overcoming Unsecurities in WebViews

2. nevis.net

3. WebView History • Default way to display web content in

   Android apps • Built on top of the open-source Chromium project • Originally part of Android itself • Since Android 5.0 (API 21) it’s a separate app, distributed through Google Play Store • On Android 7 (API 24 & 25), 8 (API 26 & 27), and 9 (API 28), it is built into Chrome • From Android 10 (API 29), it is separate app again

4. Relevant classes <<Abstract>> WebViewClient + shouldOverrideUrlLoading: Boolean + onLoadResource: void

   … WebView + loadUrl(url: String): void + loadData(data: String, mimeType: String, encoding: String): void … WebChromeClient + onProgressChanged(view: WebView, newProgress: Integer): void + onReceivedTitle(view: WebView, title: String): void … WebSettings + setJavaScriptEnabled (flag: Boolean): void + setTextZoom (textZoom: Integer): void …

5. How to create a WebView <WebView android:id="@+id/webview" android:layout_width="match_parent" android:layout_height="match_parent" />

   val webView = WebView(activityContext) webView.webViewClient = WebViewClient() webView.loadUrl("http://example.com") val webView: WebView = findViewById(R.id.webview) webView.webViewClient = WebViewClient() webView.loadUrl("http://example.com")

6. How to create a WebView in Compose @Composable fun WebViewSample(

   url: String, webViewClient: WebViewClient = WebViewClient() ) { AndroidView( factory = { context -> WebView(context).apply { this.webViewClient = WebViewClient() } }, update = { webView -> webView.loadUrl("http://www.example.com") } ) }

7. Opt-out of metrics collection • For users who share usage

   statistics and diagnostics with Google, WebView sends usage statistics and crash reports • Apps can opt-out of this <manifest> <application> <meta-data android:name="android.webkit.WebView.MetricsOptOut" android:value="true" /> ... </application> </manifest>

8. Remote Debugging • Never enable it for non-debug builds (it’s

   disabled by default)! • It enables interaction and arbitrary JavaScript execution within the WebView content via Chrome Developer Tools • developer.chrome.com/docs/devtools/remote-debugging • developer.chrome.com/docs/devtools/console/javascript chrome://inspect#devices

9. BEAKOUT

10. Breakout • If you don’t restrict the URLs that can

    be loaded, navigation to a search engine (e.g., Google) may be possible • From there any website can be loaded • More dangerous when combined with other vulnerabilities (e.g., enabled debugging or clear text traffic) and attacks (e.g., MitM, protocol downgrade) that exploit them • Especially dangerous if JavaScript execution is enabled

11. Clear Text Traffic • Even though Network Security Config is

    available since Android 7 (API 24), WebViews only respect it since Android 8 (API 25) • Even if you disabled clear text traffic, WebViews might still allow it! • You need to manually prevent loading URLs with http protocol object : WebViewClient() { override fun shouldOverrideUrlLoading( view: WebView?, request: WebResourceRequest? ): Boolean { if ("http" == request?.url?.scheme) { return true } ... } }

12. HTTP Strict Transport Security (HSTS) • HSTS helps to protect

    websites against man-in-the-middle attacks such as protocol downgrade and cookie hijacking • The best is to not allow clear text traffic at all • But if you really need to, you should at least enforce HSTS in Network Security Config <network-security-config> <base-config hstsEnforced="true"> ... </base-config> ... </network-security-config>

13. Opaque Origin • When displaying local web content, setting the

    base URL is often forgotten • No surprise as the default loadData method doesn’t allow it you should not use that method • Same Origin Checks would thus fail (when e.g., navigating to a web URL) it is tempting to just disable them BUT DON’T DO THAT • Instead, the newer loadDataWithBaseUrl should be used • Additional benefit is that it accepts more types of encoding (including UTF-8) DON’T webView.loadData(Base64.encode(data.toByteArray()), "text/html", "base64")

14. Opaque Origin • When displaying local web content, setting the

    base URL is often forgotten • No surprise as the default loadData method doesn’t allow it you should not use that method • Same Origin Checks would thus fail (when e.g., navigating to a web URL) it is tempting to just disable them BUT DON’T DO THAT • Instead, the newer loadDataWithBaseUrl should be used • Additional benefit is that it accepts more types of encoding (including UTF-8) DO webView.loadDataWithBaseURL("https://www.example.com", data, "text/html", "UTF-8", historyUrl)

15. Safe Browsing • Google Safe Browsing is a service that

    lets client applications check URLs against Google's constantly updated lists of unsafe web resources • Enabled by default since Android 8 (API 26) and WebView v66 • You can also explicitly enable it <manifest> <application> <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing" android:value="true" /> ... </application> </manifest>

16. File Access • Allowed by default up to Android 10

    (API 29) • Of course, READ_EXTERNAL_STORAGE permission is needed for the app to use it • Further complicated with Scoped Storage from Android 11 (API 30, opt out possible) and 12 (API 31, no opt-out) • Still quite easy to access Media files and files that were created by the app webView.settings.allowFileAccess = false

17. Briefly about Scoped Storage betterprogramming.pub/android-scoped-storage-demystified-3024a062ba24

18. betterprogramming.pub/android-scoped-storage-demystified-3024a062ba24

19. Content Provider Access • Still allowed by default • On

    all Android versions! • Data published by your Content Providers can be accessed by their URI webView.settings.allowContentAccess = false

20. Cookies!

21. Cookies in WebViews • Not clearing cookies can be a

    problem • Cookie jar is shared within the same process, you cannot clear cookies for individual WebViews (unless they run in their own process) • Don’t forget evercookies • github.com/samyk/evercookie

22. Jetpack to the rescue!

23. androidx.webkit • Backport of newer android.webkit APIs to older versions

    • Classes: WebViewCompat, WebSettingsCompat, etc. • Features: Dark mode, overriding user agent, multi-profile, etc. • developer.android.com/reference/androidx/webkit/package- summary.html • developer.android.com/jetpack/androidx/releases/webkit

24. Running JavaScript • JavaScript rendering runs in a separate process

    from Android 8 (API 26) • On older versions it can access the memory of the application • By default, loadUrl can run JavaScript code you should not use it • The dedicated method instead is evaluateJavaScript • You get the result in a callback • It also can persist JavaScript objects between navigation DON’T webView.loadUrl("javascript:void(alert(\"Hi!\"))")

25. Running JavaScript • JavaScript rendering runs in a separate process

    from Android 8 (API 26) • On older versions it can access the memory of the application • By default, loadUrl can run JavaScript code you should not use it • The dedicated method instead is evaluateJavaScript • You get the result in a callback • It also can persist JavaScript objects between navigation DO webView.evaluateJavascript("javascript:void(alert(\"Hi!\"))", resultCallback)

26. Running JavaScript • If you accept (user) input (from untrusted

    sources) you should always escape/sanitize them to avoid code injection • E.g., basic escaping via StringEscapeUtils.escapeEcmaScript from Apache Commons Text • github.com/apache/commons-text • Or more robust with OWASP Enterprise Security API (ESAPI) • owasp.org/www-project-enterprise-security-api

27. Running JavaScript • If you need to interact with native

    code from JavaScript, be very careful how you use the Javascript Bridge • Use the @JavascriptInterface annotation that prevents unauthorized method access (through reflection), limiting the attack surface • Potential exploitation for instance, via an XSS attack, that enables the calling of exposed Java methods • To mitigate risks, restrict JavaScript bridge usage to code shipped with the APK and prevent loading JavaScript from remote sources

28. Jetpack to the rescue!

29. JavaScript Engine • Available on Android 8 (API 26) and

    above • But still in Beta • Provides a way to evaluate JavaScript code without creating a WebView instance • Can be done in a Service (WorkManager task) • Still uses a WebView behind the scenes The WebView installed on device needs to support it • Multiple isolated environments with low overhead, enabling the application to run several JavaScript snippets simultaneously • Cannot make network requests developer.android.com/develop/ui/views/layout/webapps/jsengine

30. Custom Tabs • Originally a Google Chrome feature, since then

    it formed into a standard, implemented by most modern browsers on Android • developer.android.com/jetpack/androidx/releas es/browser • An instance of the browser runs in the task of the caller app • Shares cookie jar with the real browser • Security is the responsibility of the browser, web pages have no access to your app • Customizable look and feel

31. Takeaways • Use JavaScript Engine, Custom Tabs or open links

    in an external browser • Properly configure your WebView • Only enable features like JavaScript evaluation, file and Content Provider access if it is really needed, otherwise explicitly disable • Use the right APIs • loadDataWithBaseUrl, evaluateJavascript, @JavascriptInterface, etc. • Restrict what URI to load • Use allow list instead of block list if possible • Don’t allow clear text or at least enforce HSTS

32. SecureWebView github.com/balazsgerlei/SecureWebView

33. Thank you! • Modern WebView best practices (Android Dev Summit

    ‘18) • youtu.be/HGZYtDZhOEQ • Android Security Evolution • balazsgerlei.com/AndroidSecurityEvolution • Executing JavaScript and WebAssembly • developer.android.com/develop/ui/views/layout/webapps/jsengine • Overview of Android Custom Tabs • developer.chrome.com/docs/android/custom-tabs/ • HackTricks - Webview Attacks • book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/webview-attacks Balázs Gerlei @balazsgerlei speakerdeck.com/balazsgerlei

34. Thank you! • Modern WebView best practices (Android Dev Summit

    ‘18) • youtu.be/HGZYtDZhOEQ • Android Security Evolution • balazsgerlei.com/AndroidSecurityEvolution • Executing JavaScript and WebAssembly • developer.android.com/develop/ui/views/layout/webapps/jsengine • Overview of Android Custom Tabs • developer.chrome.com/docs/android/custom-tabs/ • HackTricks - Webview Attacks • book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/webview-attacks @mastodon.social speakerdeck.com/balazsgerlei @balazsgerlei