AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure API Usage - addJavascriptInterface

The malicious websites can access internals of the target application

Severity

High

Fix Cost

Low

Trust Level

Medium

Android supports an ability of interaction between the content loaded into the WebView and the Android application itself. WebView.addJavascriptInterface API allows this interaction.

The WebSiteInterface below can be made accessible by the WebView content by using the addJavascriptInterface.

            
Context context;

WebSiteInterface(Context context) {
this.context = context;
}

@JavascriptInterface
public void showToast(String message) {
Toast.makeText(mContext, message, Toast.LENGTH_LONG).show();
}
    
public Context getContext()
{
return context;
}
    
public void setContext(Context context)
{
this.context = context;
}
}

…
WebView webview = (WebView) findViewById(R.id.webview);
webview.addJavascriptInterface(new WebSiteInterface(this), "injectedInterface");
webview.loadUrl("http://www.thirpartyapplication.com");
                
            

After the definition and the call, a loaded web site can access the interface’s public methods that have @JavascriptInterface annotation. However, with Android API levels lower than 17, any public method can be accesses from within the Javascript such as;

                
<script type="text/javascript">
var context = injectedInterface.getContext();
// ...
</script>
                
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!