In this series of articles so far, we have discussed various techniques to identify and exploit vulnerabilities in Android applications. In the previous article, we have seen how to exploit debuggable Android applications. In this article, let’s discuss the vulnerabilities associated with Android WebViews.

Topics Covered

  • Introduction to Android WebViews
  • Implementing WebViews in Android apps
  • Security issues
  • Exploiting Android WebView vulnerabilities using Metasploit
  • Using QR Code attacks

Let’s begin.

Introduction to WebViews

When developing an Android app, we can load a remote URL or display HTML pages stored in our application within an activity using WebView. Internally it uses WebKit rendering engine to display web pages. It supports methods to navigate forward and backward, text searches, etc. It has some nice features such as support for the usage of JavaScript.

Implementing WebViews in Android Apps

Implementing WebViews in Android applications is pretty simple. Initially, we will have to set up all the required Android project setup like any other Android application project. Then, we will have to create an object for WebView Class to use its functionality. Here is a sample code snippet of how we can do this.

In order to load an Internet website:

WebView webview = (WebView) findViewById(R.id.mywebview);

webview.loadUrl(“http://website.com”);

Since we are accessing an Internet application, we need to have Internet access in order for this to work. So, we need to request for INTERNET by placing the following line in the AndroidManifest.xml file:

<uses-permission android:name=”android.permission.INTERNET” />

In order to load a file from the file system:

WebView webview = (WebView) findViewById(R.id.mywebview);

webwiew.loadUrl(“file:///android_asset/www/file.html”);

Security Issues

As mentioned in the beginning, WebView supports usage of JavaScript. If the application being loaded into WebView requires JavaScript support, it can be enabled by using the following line.

WebView webview = (WebView) findViewById(R.id.mywebview);

WebSettings webSettings = myWebView.getSettings();

webSettings.setJavaScriptEnabled(true);

Another powerful feature in WebView is exposing a Java object’s methods to be accessed from JavaScript.

This is one of the important features which requires a keen eye when implementing, as it can be exploited by passing malicious JavaScript to the application’s interface. Below is a sample code snippet by @jduck on how it can be implemented and exploited.

https://github.com/jduck/VulnWebView/

Exploiting Android WebView Vulnerabilities using Metasploit

In this section, we will see how to exploit a recent vulnerability which affected most of the Android devices. This attack works on all the devices running on Android version 4.2 (JellyBean) and earlier.

  1. Launch your Metasploit by typing “msfconsole” in a new terminal.
  2. Type “search android” to see all the exploits associated with Android. You should see the screen below (make sure you have updated your Metasploit to see the screen).

    We are going to use the exploit highlighted in the above figure, which uses vulnerable WebView components. You can get other information about this exploit by using the “info” command.

  3. To load the exploit, we can use the command “use <exploit>” as shown below.

  4. Now, we can see the options to be set by giving the “show options” command.
  5. IP address and Port to start a reverse handler can be set manually; otherwise it automatically takes the default values.

    In our case, we are leaving the default values and setting the URI PATH as shown below.

  6. Once after setting up everything, execute the “exploit” as a command to start a reverse handler.

    As we can see in the above figure, a reverse handler has been started at http://192.168.1.104/srini0x00. We can directly share this URL with the victim. Once he opens it, it will open up a shell on the device as shown in the figure below.

Using QR Code Attacks

To make this attack even more convincing, we can embed the above URL into a QRCode image. If a victim scans it using a QR code scanner, the URL will automatically pop up and will be opened in a browser.

This can be achieved using Social Engineering Toolkit.

Steps:

  1. Open up your Social Engineering Toolkit in Kali Linux by following the path given below.

    KaliLinux -> Exploitation Tools -> Social Engineering ToolKit -> se-toolkit

  2. Select Social Engineering Attacks followed by QRCode Generator Attack Vector as shown in the figure below.
  3. Now, we have to enter the URL to be embedded into the QRCode image as shown in the figure below. In our case, this is http://192.168.1.104/srini0x00

    As we can see in the above figure, a QRCode has been generated.

    If you go to the location where it is saved, it looks as shown in the figure below.

  4. If a victim scans this QRCode with QRCode scanner app from his Android device, it will open it up in a browser and a remote session will be opened in Metasploit.

    QRCode opening the URL in a browser

    Session Opened in Metasploit

  5. Let’s have a look at all the active sessions.

  6. Now, let’s start interacting with the session appeared in the previous step. This is shown in the following figure.

  7. I have set my path to system/bin and am now executing the command “cat /proc/cpuinfo” to see the CPU information on the device.

Conclusion

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

In this article, we have discussed attacks associated with WebViews. We can use Drozer for finding and exploiting these vulnerabilities in Android apps. I have provided a link as a reference if you are interested to use Drozer for this.

References and Credits

jduck (https://twitter.com/jduck)

https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/