AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure API Usage - Geolocation API

The malicious websites can access the location of users without any consent

Severity

High

Fix Cost

Low

Trust Level

Medium

Android browser can fetch physical location information of a user, however, it can’t send this geolocation data to a remote server without the consent of the user itself. This requirement is W3C for all conforming user-agents.

In Android a web site content loaded through the WebView may get the geolocation information and the application code should ask for the permission of the user even the application already has the following Android permissions;

  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.ACCESS_COARSE_LOCATION
  • android.permission.INTERNET

If the content in the WebView asks for a permission to access geolocation information, onGeolocationPermissionShowPrompt method is called to show the prompt to the user. Overriding this method in order to bypass the exclusive permission prompt will not abide to W3C standards.

            
public void onGeolocationPermissionsShowPrompt(String origin, Callback callback) {    	 
callback.invoke(origin, true, false);
}
                    
              

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!