Analyzing an Android WebView exploit (opens in new tab)

(blogs.avg.com)

9 pointsnozepas12y ago4 comments

4 comments

4 comments · 2 top-level

girvo12y ago· 1 in thread

Damn I was hoping this bypassed permissions. It can still be dangerous; picture the Facebook app's permission structure, it uses a WebView (or used to anyway, I haven't used Android in a while now). An attacker could send a link that does something useful, or inject JavaScript into a legit page that when viewed in FB's app (coupled with an FB status worm, anyone?) sends messages to premium SMS numbers... the attacker could rack up quite a bit of money.

This is dangerous due to applications habit of requesting a lot of permissions, often for use cases that don't need that huge API in particular. The problem is, designing a more fine grained permissions structure that is tractable in terms of UI is a hard problem. This also points out one of the issues of androids lack of vendor supplied updates for anything less than a flagship phone :(

Does anyone know if WebView has been decoupled from the base OS in later versions? I know it has been hooked into Chrome now, right, so does that API get updated with Chrome itself?

keeperofdakeys12y ago

The changes to the WebView are purely about the rendering engine (and possibly javascript engine). The API itself hasn't changed, as any old app will use the new WebView as well.

The actual rendering engine change is from a generic WebKit to that of Blink, used in Chromium. Chrome the application is then a rebranded Chromium, which compared to the WebView, has a lot of its own code separate from the WebView.

dz0ny12y ago· 1 in thread

I think this is a bit misleading article. First in order to application to send SMS message or any other privileged action, it must declare that at install time (in manifest file). Second in order to send SMS and expose function to JS runtime, function must be of subclass of JavaScriptInterface class (pre JB), or you can use annotation if you are targeting JB+ devices.

This means function must be exposed and written before you can actuality use exploit. Bottom line you can't just send SMS from WebView just by "accident" :) And properly written applications should not expose that function in first place.

PhoneGap seem likely target for this exploit. Facebook, Instagram ... and many others not.

trurl4212y ago

That is wrong.

Pre JB you can run any function by using reflection, as is demonstrated in the example.

anyjavaobject.getClass().forName("android.telephony.SmsManager").. etc.

j / k navigate · click thread line to collapse